SSA-019113
Vulnerability from csaf_siemens - Published: 2026-07-14 00:00 - Updated: 2026-07-14 00:00sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: allow exp not to be removed in nf_ct_find_expectation Currently nf_conntrack_in() calling nf_ct_find_expectation() will remove the exp from the hash table. However, in some scenario, we expect the exp not to be removed when the created ct will not be confirmed, like in OVS and TC conntrack in the following patches. This patch allows exp not to be removed by setting IPS_CONFIRMED in the status of the tmpl.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index With numa balancing on, when a numa system is running where a numa node doesn't have its local memory so it has no managed zones, the following oops has been observed. It's because wakeup_kswapd() is called with a wrong zone index, -1. Fixed it by checking the index before calling wakeup_kswapd(). > BUG: unable to handle page fault for address: 00000000000033f3 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP NOPTI > CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 > RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812) > Code: (omitted) > RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 > RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 > RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff > R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 > R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 > FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > <TASK> > ? __die > ? page_fault_oops > ? __pte_offset_map_lock > ? exc_page_fault > ? asm_exc_page_fault > ? wakeup_kswapd > migrate_misplaced_page > __handle_mm_fault > handle_mm_fault > do_user_addr_fault > exc_page_fault > asm_exc_page_fault > RIP: 0033:0x55b897ba0808 > Code: (omitted) > RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287 > RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0 > RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0 > RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075 > R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 > R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000 > </TASK>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: ensure offloading TID queue exists The resume code path assumes that the TX queue for the offloading TID has been configured. At resume time it then tries to sync the write pointer as it may have been updated by the firmware. In the unusual event that no packets have been send on TID 0, the queue will not have been allocated and this causes a crash. Fix this by ensuring the queue exist at suspend time.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix potential uninit-value access in __ip6_make_skb() As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb() tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL while __ip_make_skb() is running, the function will access icmphdr in the skb even if it is not included. This causes the issue reported by KMSAN. Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL on the socket. Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These are union in struct flowi4 and are implicitly initialized by flowi4_init_output(), but we should not rely on specific union layout. Initialize these explicitly in raw_sendmsg(). [1] BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481 ip_finish_skb include/net/ip.h:243 [inline] ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508 raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128 ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365 raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648 inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x274/0x3c0 net/socket.c:745 __sys_sendto+0x62c/0x7b0 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x130/0x200 net/socket.c:2199 do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix NULL pointer dereference in gfs2_log_flush In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 </TASK> Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: erofs: handle overlapped pclusters out of crafted images properly syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os. After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below: Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ... Here, extent 0/1 are physically overlapped although it's entirely _impossible_ for normal filesystem images generated by mkfs. First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges z_erofs_fill_bio_vec() and BIO submission which causes unexpected BIO waits. Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness. Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up `struct z_erofs_bvec`") for simplicity although it shouldn't be any difference.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dlm: fix possible lkb_resource null dereference This patch fixes a possible null pointer dereference when this function is called from request_lock() as lkb->lkb_resource is not assigned yet, only after validate_lock_args() by calling attach_lkb(). Another issue is that a resource name could be a non printable bytearray and we cannot assume to be ASCII coded. The log functionality is probably never being hit when DLM is used in normal way and no debug logging is enabled. The null pointer dereference can only occur on a new created lkb that does not have the resource assigned yet, it probably never hits the null pointer dereference but we should be sure that other changes might not change this behaviour and we actually can hit the mentioned null pointer dereference. In this patch we just drop the printout of the resource name, the lkb id is enough to make a possible connection to a resource name if this exists.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: filesystems without casefold feature cannot be mounted with siphash When mounting the ext4 filesystem, if the default hash version is set to DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: block: fix integer overflow in BLKSECDISCARD I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: dsa: improve shutdown sequence Alexander Sverdlin presents 2 problems during shutdown with the lan9303 driver. One is specific to lan9303 and the other just happens to reproduce there. The first problem is that lan9303 is unique among DSA drivers in that it calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown, not remove): phy_state_machine() -> ... -> dsa_user_phy_read() -> ds->ops->phy_read() -> lan9303_phy_read() -> chip->ops->phy_read() -> lan9303_mdio_phy_read() -> dev_get_drvdata() But we never stop the phy_state_machine(), so it may continue to run after dsa_switch_shutdown(). Our common pattern in all DSA drivers is to set drvdata to NULL to suppress the remove() method that may come afterwards. But in this case it will result in an NPD. The second problem is that the way in which we set dp->conduit->dsa_ptr = NULL; is concurrent with receive packet processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL, but afterwards, rather than continuing to use that non-NULL value, dev->dsa_ptr is dereferenced again and again without NULL checks: dsa_conduit_find_user() and many other places. In between dereferences, there is no locking to ensure that what was valid once continues to be valid. Both problems have the common aspect that closing the conduit interface solves them. In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN event in dsa_user_netdevice_event() which closes user ports as well. dsa_port_disable_rt() calls phylink_stop(), which synchronously stops the phylink state machine, and ds->ops->phy_read() will thus no longer call into the driver after this point. In the second case, dev_close(conduit) should do this, as per Documentation/networking/driver.rst: | Quiescence | ---------- | | After the ndo_stop routine has been called, the hardware must | not receive or transmit any data. All in flight packets must | be aborted. If necessary, poll or wait for completion of | any reset commands. So it should be sufficient to ensure that later, when we zeroize conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call on this conduit. The addition of the netif_device_detach() function is to ensure that ioctls, rtnetlinks and ethtool requests on the user ports no longer propagate down to the driver - we're no longer prepared to handle them. The race condition actually did not exist when commit 0650bf52b31f ("net: dsa: be compatible with masters which unregister on shutdown") first introduced dsa_switch_shutdown(). It was created later, when we stopped unregistering the user interfaces from a bad spot, and we just replaced that sequence with a racy zeroization of conduit->dsa_ptr (one which doesn't ensure that the interfaces aren't up).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: fix access to uninitialised lock in fc replay path The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x66/0x90 register_lock_class+0x759/0x7d0 __lock_acquire+0x85/0x2630 ? __find_get_block+0xb4/0x380 lock_acquire+0xd1/0x2d0 ? __ext4_journal_get_write_access+0xd5/0x160 _raw_spin_lock+0x33/0x40 ? __ext4_journal_get_write_access+0xd5/0x160 __ext4_journal_get_write_access+0xd5/0x160 ext4_reserve_inode_write+0x61/0xb0 __ext4_mark_inode_dirty+0x79/0x270 ? ext4_ext_replay_set_iblocks+0x2f8/0x450 ext4_ext_replay_set_iblocks+0x330/0x450 ext4_fc_replay+0x14c8/0x1540 ? jread+0x88/0x2e0 ? rcu_is_watching+0x11/0x40 do_one_pass+0x447/0xd00 jbd2_journal_recover+0x139/0x1b0 jbd2_journal_load+0x96/0x390 ext4_load_and_init_journal+0x253/0xd40 ext4_fill_super+0x2cc6/0x3180 ... In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in function ext4_check_bdev_write_error(). Unfortunately, at this point this spinlock has not been initialized yet. Moving it's initialization to an earlier point in __ext4_fill_super() fixes this splat.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent tail call between progs attached to different hooks bpf progs can be attached to kernel functions, and the attached functions can take different parameters or return different return values. If prog attached to one kernel function tail calls prog attached to another kernel function, the ctx access or return value verification could be bypassed. For example, if prog1 is attached to func1 which takes only 1 parameter and prog2 is attached to func2 which takes two parameters. Since verifier assumes the bpf ctx passed to prog2 is constructed based on func2's prototype, verifier allows prog2 to access the second parameter from the bpf ctx passed to it. The problem is that verifier does not prevent prog1 from passing its bpf ctx to prog2 via tail call. In this case, the bpf ctx passed to prog2 is constructed from func1 instead of func2, that is, the assumption for ctx access verification is bypassed. Another example, if BPF LSM prog1 is attached to hook file_alloc_security, and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier knows the return value rules for these two hooks, e.g. it is legal for bpf_lsm_audit_rule_known to return positive number 1, and it is illegal for file_alloc_security to return positive number. So verifier allows prog2 to return positive number 1, but does not allow prog1 to return positive number. The problem is that verifier does not prevent prog1 from calling prog2 via tail call. In this case, prog2's return value 1 will be used as the return value for prog1's hook file_alloc_security. That is, the return value rule is bypassed. This patch adds restriction for tail call to prevent such bypasses.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overloading of MEM_UNINIT's meaning Lonial reported an issue in the BPF verifier where check_mem_size_reg() has the following code: if (!tnum_is_const(reg->var_off)) /* For unprivileged variable accesses, disable raw * mode so that the program is required to * initialize all the memory that the helper could * just partially fill up. */ meta = NULL; This means that writes are not checked when the register containing the size of the passed buffer has not a fixed size. Through this bug, a BPF program can write to a map which is marked as read-only, for example, .rodata global maps. The problem is that MEM_UNINIT's initial meaning that "the passed buffer to the BPF helper does not need to be initialized" which was added back in commit 435faee1aae9 ("bpf, verifier: add ARG_PTR_TO_RAW_STACK type") got overloaded over time with "the passed buffer is being written to". The problem however is that checks such as the above which were added later via 06c1c049721a ("bpf: allow helpers access to variable memory") set meta to NULL in order force the user to always initialize the passed buffer to the helper. Due to the current double meaning of MEM_UNINIT, this bypasses verifier write checks to the memory (not boundary checks though) and only assumes the latter memory is read instead. Fix this by reverting MEM_UNINIT back to its original meaning, and having MEM_WRITE as an annotation to BPF helpers in order to then trigger the BPF verifier checks for writing to memory. Some notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO} we can access fn->arg_type[arg - 1] since it must contain a preceding ARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed altogether since we do check both BPF_READ and BPF_WRITE. Same for the equivalent check_kfunc_mem_size_reg().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: enetc: allocate vf_state during PF probes In the previous implementation, vf_state is allocated memory only when VF is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before VF is enabled to configure the MAC address of VF. If this is the case, enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null pointer. The simplified error log is as follows. root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89 [ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy [ 173.641973] lr : do_setlink+0x4a8/0xec8 [ 173.732292] Call trace: [ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80 [ 173.738847] __rtnl_newlink+0x530/0x89c [ 173.742692] rtnl_newlink+0x50/0x7c [ 173.746189] rtnetlink_rcv_msg+0x128/0x390 [ 173.750298] netlink_rcv_skb+0x60/0x130 [ 173.754145] rtnetlink_rcv+0x18/0x24 [ 173.757731] netlink_unicast+0x318/0x380 [ 173.761665] netlink_sendmsg+0x17c/0x3c8
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: fix data-races around sk->sk_forward_alloc Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: block: fix uaf for flush rq while iterating tags blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk"), hence for disk like scsi, following blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, cause following uaf that is found by our syzkaller for v6.6: ================================================================== BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 Workqueue: kblockd blk_mq_timeout_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 print_report+0x3e/0x70 mm/kasan/report.c:475 kasan_report+0xb8/0xf0 mm/kasan/report.c:588 blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 bt_iter block/blk-mq-tag.c:288 [inline] __sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 process_scheduled_works kernel/workqueue.c:2704 [inline] worker_thread+0x804/0xe40 kernel/workqueue.c:2785 kthread+0x346/0x450 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 942: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc mm/kasan/common.c:383 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x69/0x170 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 blk_mq_init_queue_data block/blk-mq.c:4166 [inline] blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 __scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 call_write_iter include/linux/fs.h:2083 [inline] new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 vfs_write+0x76c/0xb00 fs/read_write.c:586 ksys_write+0x127/0x250 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Freed by task 244687: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [in ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: bsg: Set bsg_queue to NULL after removal Currently, this does not cause any issues, but I believe it is necessary to set bsg_queue to NULL after removing it to prevent potential use-after-free (UAF) access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is called before releasing the open_rel_lock mutex. The kref_put() call may decrement the reference count of sfp to zero, triggering its cleanup through sg_remove_sfp(). This cleanup includes scheduling deferred work via sg_remove_sfp_usercontext(), which ultimately frees sfp. After kref_put(), sg_release() continues to unlock open_rel_lock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error. Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the open_rel_lock mutex. This ensures: - No references to sfp or sdp occur after the reference count is decremented. - Cleanup functions such as sg_remove_sfp() and sg_remove_sfp_usercontext() can safely execute without impacting the mutex handling in sg_release(). The fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures proper sequencing of resource cleanup and mutex operations, eliminating the risk of use-after-free errors in sg_release().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix soft lockups in fib6_select_path under high next hop churn Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix TSO DMA API usage causing oops Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s members to be later in stmmac_tso_xmit(). The buf (dma cookie) and len stored in this structure are passed to dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that the dma cookie passed to dma_unmap_single() is the same as the value returned from dma_map_single(). However, by moving the assignment later, this is not the case when priv->dma_cap.addr64 > 32 as "des" is offset by proto_hdr_len. This causes problems such as: dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed and with DMA_API_DEBUG enabled: DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] Fix this by maintaining "des" as the original DMA cookie, and use tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). Full details of the crashes can be found at: https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: topology: Keep the cpumask unchanged when printing cpumap During fuzz testing, the following warning was discovered: different return values (15 and 11) from vsnprintf("%*pbl ", ...) test:keyward is WARNING in kvasprintf WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130 Call Trace: kvasprintf+0x121/0x130 kasprintf+0xa6/0xe0 bitmap_print_to_buf+0x89/0x100 core_siblings_list_read+0x7e/0xb0 kernfs_file_read_iter+0x15b/0x270 new_sync_read+0x153/0x260 vfs_read+0x215/0x290 ksys_read+0xb9/0x160 do_syscall_64+0x56/0x100 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The call trace shows that kvasprintf() reported this warning during the printing of core_siblings_list. kvasprintf() has several steps: (1) First, calculate the length of the resulting formatted string. (2) Allocate a buffer based on the returned length. (3) Then, perform the actual string formatting. (4) Check whether the lengths of the formatted strings returned in steps (1) and (2) are consistent. If the core_cpumask is modified between steps (1) and (3), the lengths obtained in these two steps may not match. Indeed our test includes cpu hotplugging, which should modify core_cpumask while printing. To fix this issue, cache the cpumask into a temporary variable before calling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged during the printing process.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: memcg: fix soft lockup in the OOM process A soft lockup issue was found in the product with about 56,000 tasks were in the OOM cgroup, it was traversing them when the soft lockup was triggered. watchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066] CPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G Hardware name: Huawei Cloud OpenStack Nova, BIOS RIP: 0010:console_unlock+0x343/0x540 RSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247 RBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040 R10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0 R13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vprintk_emit+0x193/0x280 printk+0x52/0x6e dump_task+0x114/0x130 mem_cgroup_scan_tasks+0x76/0x100 dump_header+0x1fe/0x210 oom_kill_process+0xd1/0x100 out_of_memory+0x125/0x570 mem_cgroup_out_of_memory+0xb5/0xd0 try_charge+0x720/0x770 mem_cgroup_try_charge+0x86/0x180 mem_cgroup_try_charge_delay+0x1c/0x40 do_anonymous_page+0xb5/0x390 handle_mm_fault+0xc4/0x1f0 This is because thousands of processes are in the OOM cgroup, it takes a long time to traverse all of them. As a result, this lead to soft lockup in the OOM process. To fix this issue, call 'cond_resched' in the 'mem_cgroup_scan_tasks' function per 1000 iterations. For global OOM, call 'touch_softlockup_watchdog' per 1000 iterations to avoid this issue.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Check for adev == NULL Not all devices have an ACPI companion fwnode, so adev might be NULL. This can e.g. (theoretically) happen when a user manually binds one of the int3472 drivers to another i2c/platform device through sysfs. Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: safesetid: check size of policy writes syzbot attempts to write a buffer with a large size to a sysfs entry with writes handled by handle_policy_update(), triggering a warning in kmalloc. Check the size specified for write buffers before allocating. [PM: subject tweak]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Add NULL check in mt_input_configured devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt_input_configured() is not checked. Add NULL check in mt_input_configured(), to handle kernel NULL pointer dereference error.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Fix ida_free call while not allocated In the rproc_alloc() function, on error, put_device(&rproc->dev) is called, leading to the call of the rproc_type_release() function. An error can occurs before ida_alloc is called. In such case in rproc_type_release(), the condition (rproc->index >= 0) is true as rproc->index has been initialized to 0. ida_free() is called reporting a warning: [ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 [ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 [ 4.188854] ida_free called for id=0 which is not allocated. [ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 [ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) [ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 [ 4.231481] Hardware name: STM32 (Device Tree Support) [ 4.236627] Workqueue: events_unbound deferred_probe_work_func [ 4.242504] Call trace: [ 4.242522] unwind_backtrace from show_stack+0x10/0x14 [ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 [ 4.255274] dump_stack_lvl from __warn+0x80/0x12c [ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 [ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 [ 4.270565] ida_free from rproc_type_release+0x38/0x60 [ 4.275832] rproc_type_release from device_release+0x30/0xa0 [ 4.281601] device_release from kobject_put+0xc4/0x294 [ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c [ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 [ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] [ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is properly set.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ubifs: skip dumping tnc tree when zroot is null Clearing slab cache will free all znode in memory and make c->zroot.znode = NULL, then dumping tnc tree will access c->zroot.znode which cause null pointer dereference.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: prohibit deactivating all links In the internal API this calls this is a WARN_ON, but that should remain since internally we want to know about bugs that may cause this. Prevent deactivating all links in the debugfs write directly.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop active perfmon if it is being destroyed If the active performance monitor (`v3d->active_perfmon`) is being destroyed, stop it first. Currently, the active perfmon is not stopped during destruction, leaving the `v3d->active_perfmon` pointer stale. This can lead to undefined behavior and instability. This patch ensures that the active perfmon is stopped before being destroyed, aligning with the behavior introduced in commit 7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed").
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. [ij: edited the commit message.]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. See: 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") Note: hashtable resize is only possible from init_netns.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: fec: handle page_pool_dev_alloc_pages error The fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did not handle the case when it returned NULL. There was a WARN_ON(!new_page) but it would still proceed to use the NULL pointer and then crash. This case does seem somewhat rare but when the system is under memory pressure it can happen. One case where I can duplicate this with some frequency is when writing over a smbd share to a SATA HDD attached to an imx6q. Setting /proc/sys/vm/min_free_kbytes to higher values also seems to solve the problem for my test case. But it still seems wrong that the fec driver ignores the memory allocation error and can crash. This commit handles the allocation error by dropping the current packet.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: always recalculate features after XDP clearing, fix null-deref Recalculate features when XDP is detached. Before: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: off [requested on] After: # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp # ip li set dev eth0 xdp off # ethtool -k eth0 | grep gro rx-gro-hw: on The fact that HW-GRO doesn't get re-enabled automatically is just a minor annoyance. The real issue is that the features will randomly come back during another reconfiguration which just happens to invoke netdev_update_features(). The driver doesn't handle reconfiguring two things at a time very robustly. Starting with commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") we only reconfigure the RSS hash table if the "effective" number of Rx rings has changed. If HW-GRO is enabled "effective" number of rings is 2x what user sees. So if we are in the bad state, with HW-GRO re-enablement "pending" after XDP off, and we lower the rings by / 2 - the HW-GRO rings doing 2x and the ethtool -L doing / 2 may cancel each other out, and the: if (old_rx_rings != bp->hw_resc.resv_rx_rings && condition in __bnxt_reserve_rings() will be false. The RSS map won't get updated, and we'll crash with: BUG: kernel NULL pointer dereference, address: 0000000000000168 RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0 bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180 __bnxt_setup_vnic_p5+0x58/0x110 bnxt_init_nic+0xb72/0xf50 __bnxt_open_nic+0x40d/0xab0 bnxt_open_nic+0x2b/0x60 ethtool_set_channels+0x18c/0x1d0 As we try to access a freed ring. The issue is present since XDP support was added, really, but prior to commit 98ba1d931f61 ("bnxt_en: Fix RSS logic in __bnxt_reserve_rings()") it wasn't causing major issues.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 release_sock+0x1aa/0x1f0 net/core/sock.c:3640 inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6e86ebfe69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 </TASK> The root cause is the bad handling of disconnect() generated internally by the MPTCP protocol in case of connect FASTOPEN errors. Address the issue increasing the socket disconnect counter even on such a case, to allow other threads waiting on the same socket lock to properly error out.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only set fullmesh for subflow endp With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address. Unfortunately, the set_flags() hook was a bit more permissive, and allowed 'implicit' endpoints to get the 'fullmesh' flag while it is not allowed before. That's what syzbot found, triggering the following warning: WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Modules linked in: CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline] RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064 Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 <0f> 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48 RSP: 0018:ffffc9000d307240 EFLAGS: 00010293 RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0 R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:726 ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 ___sys_sendmsg net/socket.c:2637 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2669 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5fe8785d29 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29 RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007 RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000 ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: consolidate suboption status MPTCP maintains the received sub-options status is the bitmask carrying the received suboptions and in several bitfields carrying per suboption additional info. Zeroing the bitmask before parsing is not enough to ensure a consistent status, and the MPTCP code has to additionally clear some bitfiled depending on the actually parsed suboption. The above schema is fragile, and syzbot managed to trigger a path where a relevant bitfield is not cleared/initialized: BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline] BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline] BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline] BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 __mptcp_expand_seq net/mptcp/options.c:1030 [inline] mptcp_expand_seq net/mptcp/protocol.h:864 [inline] ack_update_msk net/mptcp/options.c:1060 [inline] mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209 tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233 tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264 tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916 tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:460 [inline] ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447 NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core net/core/dev.c:5704 [inline] __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817 process_backlog+0x4ad/0xa50 net/core/dev.c:6149 __napi_poll+0xe7/0x980 net/core/dev.c:6902 napi_poll net/core/dev.c:6971 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093 handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561 __do_softirq+0x14/0x1a kernel/softirq.c:595 do_softirq+0x9a/0x100 kernel/softirq.c:462 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_hh_output include/net/neighbour.h:523 [inline] neigh_output include/net/neighbour.h:537 [inline] ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236 __ip_finish_output+0x287/0x810 ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434 dst_output include/net/dst.h:450 [inline] ip_local_out net/ipv4/ip_output.c:130 [inline] __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536 ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550 __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468 tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline] tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829 __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012 tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618 __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130 __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496 mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550 mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline] mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline] mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline] mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) nbd_config_put -> due to step 1), reference is still not zero 3) nbd_genl_reconfigure() queue recv_work() again; nbd_genl_reconfigure config = nbd_get_config_unlocked(nbd) if (!config) -> succeed if (!test_bit(NBD_RT_BOUND, ...)) -> succeed nbd_reconnect_socket queue_work(nbd->recv_workq, &args->work) 4) step 1) release the reference; 5) Finially, recv_work() will trigger UAF: recv_work nbd_config_put(nbd) -> nbd_config is freed atomic_dec(&config->recv_threads) -> UAF Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so that nbd_genl_reconfigure() will fail.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: add RCU protection to mld_newpack() mld_newpack() can be called without RTNL or RCU being held. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU protection in ip6_default_advmss() ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() It malicious user provides a small pptable through sysfs and then a bigger pptable, it may cause buffer overflow attack in function smu_sys_set_pp_table().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to send the callback. This causes nfsd4_shutdown_callback to hang since cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP notifies NFSD that the connection was dropped. This patch modifies nfsd4_run_cb_work to skip the RPC call if nfs4_client is in courtesy state.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0xb5/0x170 Modules linked in: CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted 6.12.0-rc6-00079-g04ae226af01f-dirty #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:refcount_warn_saturate+0xb5/0x170 Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75 e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb cd 0f b6 1d 8a3 RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380 RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56 R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0 FS: 0000000000000000(0000) GS:ffff88871ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0xb5/0x170 ? __warn+0xa5/0x140 ? refcount_warn_saturate+0xb5/0x170 ? report_bug+0x1b1/0x1e0 ? handle_bug+0x53/0xa0 ? exc_invalid_op+0x17/0x40 ? asm_exc_invalid_op+0x1a/0x20 ? tick_nohz_tick_stopped+0x1e/0x40 ? refcount_warn_saturate+0xb5/0x170 ? refcount_warn_saturate+0xb5/0x170 nfs3svc_release_getacl+0xc9/0xe0 svc_process_common+0x5db/0xb60 ? __pfx_svc_process_common+0x10/0x10 ? __rcu_read_unlock+0x69/0xa0 ? __pfx_nfsd_dispatch+0x10/0x10 ? svc_xprt_received+0xa1/0x120 ? xdr_init_decode+0x11d/0x190 svc_process+0x2a7/0x330 svc_handle_xprt+0x69d/0x940 svc_recv+0x180/0x2d0 nfsd+0x168/0x200 ? __pfx_nfsd+0x10/0x10 kthread+0x1a2/0x1e0 ? kthread+0xf4/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... Clear acl_access/acl_default after posix_acl_release is called to prevent UAF from being triggered.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ptp: Ensure info->enable callback is always set The ioctl and sysfs handlers unconditionally call the ->enable callback. Not all drivers implement that callback, leading to NULL dereferences. Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. Instead use a dummy callback if no better was specified by the driver.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current->fs. Reorganize the code so that the the final write happens from the workqueue but with the caller's credentials. This preserves the (strange) permission model and has almost no regression risk. This api should stop to exist though.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which is completely unnecessary. This can potentially also lead to deadlocks, as reported by syzbot in [0]. So, instead, hold freeze_mutex only during writeability checks, bump (proactively) "write active" count for the map, unlock the mutex and proceed with mmap logic. And only if something went wrong during mmap logic, then undo that "write active" counter increment. [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, rem ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: tcp: drop secpath at the same time as we currently drop dst Xiumei reported hitting the WARN in xfrm6_tunnel_net_exit while running tests that boil down to: - create a pair of netns - run a basic TCP test over ipcomp6 - delete the pair of netns The xfrm_state found on spi_byaddr was not deleted at the time we delete the netns, because we still have a reference on it. This lingering reference comes from a secpath (which holds a ref on the xfrm_state), which is still attached to an skb. This skb is not leaked, it ends up on sk_receive_queue and then gets defer-free'd by skb_attempt_defer_free. The problem happens when we defer freeing an skb (push it on one CPU's defer_list), and don't flush that list before the netns is deleted. In that case, we still have a reference on the xfrm_state that we don't expect at this point. We already drop the skb's dst in the TCP receive path when it's no longer needed, so let's also drop the secpath. At this point, tcp_filter has already called into the LSM hooks that may require the secpath, so it should not be needed anymore. However, in some of those places, the MPTCP extension has just been attached to the skb, so we cannot simply drop all extensions.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value as the user_data argument to bpf_test_init(). Fix this by returning an error when user_data is less than ETH_HLEN in bpf_test_init(). Additionally, remove the check for "if (user_size > size)" as it is unnecessary. [1] BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 eth_skb_pkt_type include/linux/etherdevice.h:627 [inline] eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165 __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635 xdp_recv_frames net/bpf/test_run.c:272 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318 bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371 __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777 __do_sys_bpf kernel/bpf/syscall.c:5866 [inline] __se_sys_bpf kernel/bpf/syscall.c:5864 [inline] __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864 x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: free_pages_prepare mm/page_alloc.c:1056 [inline] free_unref_page+0x156/0x1320 mm/page_alloc.c:2657 __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838 bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline] ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235 bpf_map_free kernel/bpf/syscall.c:838 [inline] bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310 worker_thread+0xedf/0x1550 kernel/workqueue.c:3391 kthread+0x535/0x6b0 kernel/kthread.c:389 ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() Xen doesn't offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results in the following warning: unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0) Call Trace: xen_read_msr+0x1e/0x30 amd_get_mmconfig_range+0x2b/0x80 quirk_amd_mmconfig_area+0x28/0x100 pnp_fixup_device+0x39/0x50 __pnp_add_device+0xf/0x150 pnp_add_device+0x3d/0x100 pnpacpi_add_device_handler+0x1f9/0x280 acpi_ns_get_device_callback+0x104/0x1c0 acpi_ns_walk_namespace+0x1d0/0x260 acpi_get_devices+0x8a/0xb0 pnpacpi_init+0x50/0x80 do_one_initcall+0x46/0x2e0 kernel_init_freeable+0x1da/0x2f0 kernel_init+0x16/0x1b0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 based on quirks for a "PNP0c01" device. Treating MMCFG as disabled is the right course of action, so no change is needed there. This was most likely exposed by fixing the Xen MSR accessors to not be silently-safe.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() uses in net/llc. [1] kernel BUG at net/core/skbuff.c:2178 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178 Call Trace: <TASK> __skb_pad+0x18a/0x610 net/core/skbuff.c:2466 __skb_put_padto include/linux/skbuff.h:3843 [inline] skb_put_padto include/linux/skbuff.h:3862 [inline] eth_skb_pad include/linux/etherdevice.h:656 [inline] e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3806 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:4045 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621 dev_queue_xmit include/linux/netdevice.h:3313 [inline] llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144 llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline] llc_sap_next_state net/llc/llc_sap.c:182 [inline] llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209 llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993 sock_sendmsg_nosec net/socket.c:718 [inline]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr If multiple connection requests attempt to create an implicit mptcp endpoint in parallel, more than one caller may end up in mptcp_pm_nl_append_new_local_addr because none found the address in local_addr_list during their call to mptcp_pm_nl_get_local_id. In this case, the concurrent new_local_addr calls may delete the address entry created by the previous caller. These deletes use synchronize_rcu, but this is not permitted in some of the contexts where this function may be called. During packet recv, the caller may be in a rcu read critical section and have preemption disabled. An example stack: BUG: scheduling while atomic: swapper/2/0/0x00000302 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1)) dump_stack (lib/dump_stack.c:124) __schedule_bug (kernel/sched/core.c:5943) schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970) __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621) schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818) schedule_timeout (kernel/time/timer.c:2160) wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148) __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444) synchronize_rcu (kernel/rcu/tree.c:3609) mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061) mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164) mptcp_pm_get_local_id (net/mptcp/pm.c:420) subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213) subflow_v4_route_req (net/mptcp/subflow.c:305) tcp_conn_request (net/ipv4/tcp_input.c:7216) subflow_v4_conn_request (net/mptcp/subflow.c:651) tcp_rcv_state_process (net/ipv4/tcp_input.c:6709) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934) tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234) ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254) ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580) ip_sublist_rcv (net/ipv4/ip_input.c:640) ip_list_rcv (net/ipv4/ip_input.c:675) __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631) netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774) napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114) igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb __napi_poll (net/core/dev.c:6582) net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787) handle_softirqs (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636) irq_exit_rcu (kernel/softirq.c:651) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) </IRQ> This problem seems particularly prevalent if the user advertises an endpoint that has a different external vs internal address. In the case where the external address is advertised and multiple connections already exist, multiple subflow SYNs arrive in parallel which tends to trigger the race during creation of the first local_addr_list entries which have the internal address instead. Fix by skipping the replacement of an existing implicit local address if called via mptcp_pm_nl_get_local_id.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _before_ proc_register() in PDE itself and used later, avoiding pde->proc_ops->... dereference. rmmod lookup sys_delete_module proc_lookup_de pde_get(de); proc_get_inode(dir->i_sb, de); mod->exit() proc_remove remove_proc_subtree proc_entry_rundown(de); free_module(mod); if (S_ISREG(inode->i_mode)) if (de->proc_ops->proc_read_iter) --> As module is already freed, will trigger UAF BUG: unable to handle page fault for address: fffffbfff80a702b PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:proc_get_inode+0x302/0x6e0 RSP: 0018:ffff88811c837998 EFLAGS: 00010a06 RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007 RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158 RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20 R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0 R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001 FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_lookup_de+0x11f/0x2e0 __lookup_slow+0x188/0x350 walk_component+0x2ab/0x4f0 path_lookupat+0x120/0x660 filename_lookup+0x1ce/0x560 vfs_statx+0xac/0x150 __do_sys_newstat+0x96/0x110 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e [adobriyan@gmail.com: don't do 2 atomic ops on the common path]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's call fib_nh_common_release() and clear nhc_pcpu_rth_output in the error path. Note that we can remove the fib6_nh_release() call in nh_create_ipv6() later in net-next.git.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byte size option to *fake* a zero length option and confuse the parsing logic, further achieve heap out-of-bounds read. One example crash log is like below: [ 3.905425] ================================================================== [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0 [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177 [ 3.906646] [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1 [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 3.907784] Call Trace: [ 3.907925] <TASK> [ 3.908048] dump_stack_lvl+0x44/0x5c [ 3.908258] print_report+0x184/0x4be [ 3.909151] kasan_report+0xc5/0x100 [ 3.909539] kasan_check_range+0xf3/0x1a0 [ 3.909794] memcpy+0x1f/0x60 [ 3.909968] nla_put+0xa9/0xe0 [ 3.910147] tunnel_key_dump+0x945/0xba0 [ 3.911536] tcf_action_dump_1+0x1c1/0x340 [ 3.912436] tcf_action_dump+0x101/0x180 [ 3.912689] tcf_exts_dump+0x164/0x1e0 [ 3.912905] fw_dump+0x18b/0x2d0 [ 3.913483] tcf_fill_node+0x2ee/0x460 [ 3.914778] tfilter_notify+0xf4/0x180 [ 3.915208] tc_new_tfilter+0xd51/0x10d0 [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560 [ 3.919118] netlink_rcv_skb+0xcd/0x200 [ 3.919787] netlink_unicast+0x395/0x530 [ 3.921032] netlink_sendmsg+0x3d0/0x6d0 [ 3.921987] __sock_sendmsg+0x99/0xa0 [ 3.922220] __sys_sendto+0x1b7/0x240 [ 3.922682] __x64_sys_sendto+0x72/0x90 [ 3.922906] do_syscall_64+0x5e/0x90 [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 3.924122] RIP: 0033:0x7e83eab84407 [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407 [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003 [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0 [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8 Fix these issues by enforing correct length condition in related policies.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ 6.989857] ================================================================== [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 [ 6.991162] [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 6.992281] Call Trace: [ 6.992423] <TASK> [ 6.992586] dump_stack_lvl+0x44/0x5c [ 6.992801] print_report+0x184/0x4be [ 6.993790] kasan_report+0xc5/0x100 [ 6.994252] kasan_check_range+0xf3/0x1a0 [ 6.994486] memcpy+0x38/0x60 [ 6.994692] nft_tunnel_obj_init+0x977/0xa70 [ 6.995677] nft_obj_init+0x10c/0x1b0 [ 6.995891] nf_tables_newobj+0x585/0x950 [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 [ 6.998997] nfnetlink_rcv+0x1df/0x220 [ 6.999537] netlink_unicast+0x395/0x530 [ 7.000771] netlink_sendmsg+0x3d0/0x6d0 [ 7.001462] __sock_sendmsg+0x99/0xa0 [ 7.001707] ____sys_sendmsg+0x409/0x450 [ 7.002391] ___sys_sendmsg+0xfd/0x170 [ 7.003145] __sys_sendmsg+0xea/0x170 [ 7.004359] do_syscall_64+0x5e/0x90 [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 7.006127] RIP: 0033:0x7ec756d4e407 [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 Fix this bug with correct pointer addition and conversion in parse and dump code.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM information, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuring an index register that selects the row to read or write to. This means that operations must be atomic in order to, e.g., avoid spreading writes across multiple rows. Since the shadow SRAM array is used to find free rows in the hardware table, it must also be protected in order to avoid TOCTOU errors where multiple cores allocate the same row. This issue was detected in a situation where `mvpp2_set_rx_mode()` ran concurrently on two CPUs. In this particular case the MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the classifier unit to drop all incoming unicast - indicated by the `rx_classifier_drops` counter.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint If vhost_scsi_set_endpoint is called multiple times without a vhost_scsi_clear_endpoint between them, we can hit multiple bugs found by Haoran Zhang: 1. Use-after-free when no tpgs are found: This fixes a use after free that occurs when vhost_scsi_set_endpoint is called more than once and calls after the first call do not find any tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds tpgs to add to the vs_tpg array match=true, so we will do: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If vhost_scsi_set_endpoint is called again and no tpgs are found match=false so we skip the vhost_vq_set_backend call leaving the pointer to the vs_tpg we then free via: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; If a scsi request is then sent we do: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend which sees the vs_tpg we just did a kfree on. 2. Tpg dir removal hang: This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1. The problem is that if vhost_scsi_set_endpoint detects a tpg is already in the vs->vs_tpg array or if the tpg has been removed so target_depend_item fails, the undepend goto handler will do target_undepend_item on all tpgs in the vs_tpg array dropping their refcount to 0. At this time vs_tpg contains both the tpgs we have added in the current vhost_scsi_set_endpoint call as well as tpgs we added in previous calls which are also in vs->vs_tpg. Later, when vhost_scsi_clear_endpoint runs it will do target_undepend_item on all the tpgs in the vs->vs_tpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir. 3. Tpg leak: This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhost_scsi_set_endpoint is called multiple times but with different target names. The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vs_tpg array. Later when we do vhost_scsi_clear_endpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vs_tpg. We will then return from the function without doing target_undepend_item on the tpgs. Because of all these bugs, it looks like being able to call vhost_scsi_set_endpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhost_scsi_set_endpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhost_scsi_clear_endpoint first.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range() If track_pfn_copy() fails, we already added the dst VMA to the maple tree. As fork() fails, we'll cleanup the maple tree, and stumble over the dst VMA for which we neither performed any reservation nor copied any page tables. Consequently untrack_pfn() will see VM_PAT and try obtaining the PAT information from the page table -- which fails because the page table was not copied. The easiest fix would be to simply clear the VM_PAT flag of the dst VMA if track_pfn_copy() fails. However, the whole thing is about "simply" clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy() and performed a reservation, but copying the page tables fails, we'll simply clear the VM_PAT flag, not properly undoing the reservation ... which is also wrong. So let's fix it properly: set the VM_PAT flag only if the reservation succeeded (leaving it clear initially), and undo the reservation if anything goes wrong while copying the page tables: clearing the VM_PAT flag after undoing the reservation. Note that any copied page table entries will get zapped when the VMA will get removed later, after copy_page_range() succeeded; as VM_PAT is not set then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be happy. Note that leaving these page tables in place without a reservation is not a problem, as we are aborting fork(); this process will never run. A reproducer can trigger this usually at the first try: https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110 Modules linked in: ... CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:get_pat_info+0xf6/0x110 ... Call Trace: <TASK> ... untrack_pfn+0x52/0x110 unmap_single_vma+0xa6/0xe0 unmap_vmas+0x105/0x1f0 exit_mmap+0xf6/0x460 __mmput+0x4b/0x120 copy_process+0x1bf6/0x2aa0 kernel_clone+0xab/0x440 __do_sys_clone+0x66/0x90 do_syscall_64+0x95/0x180 Likely this case was missed in: d155df53f310 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed") ... and instead of undoing the reservation we simply cleared the VM_PAT flag. Keep the documentation of these functions in include/linux/pgtable.h, one place is more than sufficient -- we should clean that up for the other functions like track_pfn_remap/untrack_pfn separately.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() If the regulator_bulk_get() returns an error and no regulators are created, we need to set their number to zero. If we don't do this and the PCIe link up fails, a call to the regulator_bulk_free() will result in a kernel panic. While at it, print the error value, as we cannot return an error upwards as the kernel will WARN() on an error from add_bus(). [kwilczynski: commit log, use comma in the message to match style with other similar messages]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, because the last element is out of bounds. The out-of-bounds element still remains out of bounds after being accessed, so the problem is only that we touch it, not that it becomes in active use. But I suppose it can lead to issues if the out-of-bounds element is part of an unmapped page.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is trying to remove the bridge. In dev_ioctl(), Thread A bumps the bridge device's refcnt by netdev_hold() and releases RTNL because the following br_ioctl_call() also re-acquires RTNL. In the race window, Thread B could acquire RTNL and try to remove the bridge device. Then, rtnl_unlock() by Thread B will release RTNL and wait for netdev_put() by Thread A. Thread A, however, must hold RTNL after the unlock in dev_ifsioc(), which may take long under RTNL pressure, resulting in the splat by Thread B. Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR) ---------------------- ---------------------- sock_ioctl sock_ioctl `- sock_do_ioctl `- br_ioctl_call `- dev_ioctl `- br_ioctl_stub |- rtnl_lock | |- dev_ifsioc ' ' |- dev = __dev_get_by_name(...) |- netdev_hold(dev, ...) . / |- rtnl_unlock ------. | | |- br_ioctl_call `---> |- rtnl_lock Race | | `- br_ioctl_stub |- br_del_bridge Window | | | |- dev = __dev_get_by_name(...) | | | May take long | `- br_dev_delete(dev, ...) | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...) | | | | `- rtnl_unlock \ | |- rtnl_lock <-' `- netdev_run_todo | |- ... `- netdev_run_todo | `- rtnl_unlock |- __rtnl_unlock | |- netdev_wait_allrefs_any |- netdev_put(dev, ...) <----------------' Wait refcnt decrement and log splat below To avoid blocking SIOCBRDELBR unnecessarily, let's not call dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF. In the dev_ioctl() path, we do the following: 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl() 2. Check CAP_NET_ADMIN in dev_ioctl() 3. Call dev_load() in dev_ioctl() 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc() 3. can be done by request_module() in br_ioctl_call(), so we move 1., 2., and 4. to br_ioctl_stub(). Note that 2. is also checked later in add_del_if(), but it's better performed before RTNL. SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since the pre-git era, and there seems to be no specific reason to process them there. [0]: unregister_netdevice: waiting for wpan3 to become free. Usage count = 2 ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline] netdev_hold include/linux/netdevice.h:4311 [inline] dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624 dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826 sock_do_ioctl+0x1ca/0x260 net/socket.c:1213 sock_ioctl+0x23a/0x6c0 net/socket.c:1318 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: Add NULL check for adev Not all devices have an ACPI companion fwnode, so adev might be NULL. This is similar to the commit cd2fd6eab480 ("platform/x86: int3472: Check for adev == NULL"). Add a check for adev not being set and return -ENODEV in that case to avoid a possible NULL pointer deref in int3402_thermal_probe(). Note, under the same directory, int3400_thermal_probe() has such a check. [ rjw: Subject edit, added Fixes: ]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/ ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and '..' as directory entries in the first data block. It first loads the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry() and then uses its rec_len member to compute the location of '..' dir entry (in ext4_next_entry). It assumes the '..' dir entry fits into the same data block. If the rec_len of '.' is precisely one block (4KB), it slips through the sanity checks (it is considered the last directory entry in the data block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the memory slot allocated to the data block. The following call to ext4_check_dir_entry() on new value of de then dereferences this pointer which results in out-of-bounds mem access. Fix this by extending __ext4_check_dir_entry() to check for '.' dir entries that reach the end of data block. Make sure to ignore the phony dir entries for checksum (by checking name_len for non-zero). Note: This is reported by KASAN as use-after-free in case another structure was recently freed from the slot past the bound, but it is really an OOB read. This issue was found by syzkaller tool. Call Trace: [ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710 [ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375 [ 38.595158] [ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1 [ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 38.595304] Call Trace: [ 38.595308] <TASK> [ 38.595311] dump_stack_lvl+0xa7/0xd0 [ 38.595325] print_address_description.constprop.0+0x2c/0x3f0 [ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595349] print_report+0xaa/0x250 [ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595368] ? kasan_addr_to_slab+0x9/0x90 [ 38.595378] kasan_report+0xab/0xe0 [ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710 [ 38.595400] __ext4_check_dir_entry+0x67e/0x710 [ 38.595410] ext4_empty_dir+0x465/0x990 [ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10 [ 38.595432] ext4_rmdir.part.0+0x29a/0xd10 [ 38.595441] ? __dquot_initialize+0x2a7/0xbf0 [ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10 [ 38.595464] ? __pfx___dquot_initialize+0x10/0x10 [ 38.595478] ? down_write+0xdb/0x140 [ 38.595487] ? __pfx_down_write+0x10/0x10 [ 38.595497] ext4_rmdir+0xee/0x140 [ 38.595506] vfs_rmdir+0x209/0x670 [ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190 [ 38.595529] do_rmdir+0x363/0x3c0 [ 38.595537] ? __pfx_do_rmdir+0x10/0x10 [ 38.595544] ? strncpy_from_user+0x1ff/0x2e0 [ 38.595561] __x64_sys_unlinkat+0xf0/0x130 [ 38.595570] do_syscall_64+0x5b/0x180 [ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Use spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock and spin_unlock in mtk_star_emac driver to avoid spinlock recursion occurrence that can happen when enabling the DMA interrupts again in rx/tx poll. ``` BUG: spinlock recursion on CPU#0, swapper/0/0 lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0, .owner_cpu: 0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT Hardware name: MediaTek MT8365 Open Platform EVK (DT) Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x60/0x80 dump_stack+0x18/0x24 spin_dump+0x78/0x88 do_raw_spin_lock+0x11c/0x120 _raw_spin_lock+0x20/0x2c mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac] __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x4c/0xb0 handle_fasteoi_irq+0xa0/0x1bc handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x120 do_interrupt_handler+0x50/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 regmap_mmio_read32le+0xc/0x20 (P) _regmap_bus_reg_read+0x6c/0xac _regmap_read+0x60/0xdc regmap_read+0x4c/0x80 mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac] __napi_poll+0x38/0x188 net_rx_action+0x164/0x2c0 handle_softirqs+0x100/0x244 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x20 call_on_irq_stack+0x24/0x64 do_softirq_own_stack+0x1c/0x40 __irq_exit_rcu+0xd4/0x10c irq_exit_rcu+0x10/0x1c el1_interrupt+0x38/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 cpuidle_enter_state+0xac/0x320 (P) cpuidle_enter+0x38/0x50 do_idle+0x1e4/0x260 cpu_startup_entry+0x34/0x3c rest_init+0xdc/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ```
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY DSA has 2 kinds of drivers: 1. Those who call dsa_switch_suspend() and dsa_switch_resume() from their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz 2. Those who don't: all others. The above methods should be optional. For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). These seem good candidates for setting mac_managed_pm = true because that is essentially its definition [1], but that does not seem to be the biggest problem for now, and is not what this change focuses on. Talking strictly about the 2nd category of DSA drivers here (which do not have MAC managed PM, meaning that for their attached PHYs, mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), I have noticed that the following warning from mdio_bus_phy_resume() is triggered: WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && phydev->state != PHY_UP); because the PHY state machine is running. It's running as a result of a previous dsa_user_open() -> ... -> phylink_start() -> phy_start() having been initiated by the user. The previous mdio_bus_phy_suspend() was supposed to have called phy_stop_machine(), but it didn't. So this is why the PHY is in state PHY_NOLINK by the time mdio_bus_phy_resume() runs. mdio_bus_phy_suspend() did not call phy_stop_machine() because for phylink, the phydev->adjust_link function pointer is NULL. This seems a technicality introduced by commit fddd91016d16 ("phylib: fix PAL state machine restart on resume"). That commit was written before phylink existed, and was intended to avoid crashing with consumer drivers which don't use the PHY state machine - phylink always does, when using a PHY. But phylink itself has historically not been developed with suspend/resume in mind, and apparently not tested too much in that scenario, allowing this bug to exist unnoticed for so long. Plus, prior to the WARN_ON(), it would have likely been invisible. This issue is not in fact restricted to type 2 DSA drivers (according to the above ad-hoc classification), but can be extrapolated to any MAC driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where the issue was reported. Assuming mac_managed_pm is set correctly, a quick search indicates the following other drivers might be affected: $ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm drivers/net/ethernet/atheros/ag71xx.c drivers/net/ethernet/microchip/sparx5/sparx5_main.c drivers/net/ethernet/microchip/lan966x/lan966x_main.c drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c drivers/net/ethernet/freescale/dpaa/dpaa_eth.c drivers/net/ethernet/freescale/ucc_geth.c drivers/net/ethernet/freescale/enetc/enetc_pf_common.c drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c drivers/net/ethernet/marvell/mvneta.c drivers/net/ethernet/marvell/prestera/prestera_main.c drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/altera/altera_tse_main.c drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c drivers/net/ethernet/meta/fbnic/fbnic_phylink.c drivers/net/ethernet/tehuti/tn40_phy.c drivers/net/ethernet/mscc/ocelot_net.c Make the existing conditions dependent on the PHY device having a phydev->phy_link_change() implementation equal to the default phy_link_change() provided by phylib. Otherwise, we implicitly know that the phydev has the phylink-provided phylink_phy_change() callback, and when phylink is used, the PHY state machine always needs to be stopped/ started on the suspend/resume path. The code is structured as such that if phydev->phy_link_change() is absent, it is a matter of time until the kernel will crash - no need to further complicate the test. Thus, for the situation where the PM is not managed b ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be "misused" in another namespace. As one example, this is causing Cilium to drop traffic when using bpf_redirect_peer to redirect packets that just went through IPsec decryption to a container namespace. The following pwru trace shows (1) the packet path from the host's XFRM layer to the container's XFRM layer where it's dropped and (2) the number of active skb extensions at each function. NETNS MARK IFACE TUPLE FUNC 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb .active_extensions = (__u8)2, 4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive .active_extensions = (__u8)2, [...] 4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core .active_extensions = (__u8)2, [...] 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session .active_extensions = (__u8)2, 4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY) .active_extensions = (__u8)2, In this case, there are no XFRM policies in the container's network namespace so the drop is unexpected. When we decrypt the IPsec packet, the XFRM state used for decryption is set in the skb extensions. This information is preserved across the netns switch. When we reach the XFRM policy check in the container's netns, __xfrm_policy_check drops the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM policy can't be found that matches the (host-side) XFRM state used for decryption. This patch fixes this by scrubbing the packet when using bpf_redirect_peer, as is done on typical netns switches via veth devices except skb->mark and skb->tstamp are not zeroed.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eliminate window where TLB flushes may be inadvertently skipped tl;dr: There is a window in the mm switching code where the new CR3 is set and the CPU should be getting TLB flushes for the new mm. But should_flush_tlb() has a bug and suppresses the flush. Fix it by widening the window where should_flush_tlb() sends an IPI. Long Version: === History === There were a few things leading up to this. First, updating mm_cpumask() was observed to be too expensive, so it was made lazier. But being lazy caused too many unnecessary IPIs to CPUs due to the now-lazy mm_cpumask(). So code was added to cull mm_cpumask() periodically[2]. But that culling was a bit too aggressive and skipped sending TLB flushes to CPUs that need them. So here we are again. === Problem === The too-aggressive code in should_flush_tlb() strikes in this window: // Turn on IPIs for this CPU/mm combination, but only // if should_flush_tlb() agrees: cpumask_set_cpu(cpu, mm_cpumask(next)); next_tlb_gen = atomic64_read(&next->context.tlb_gen); choose_new_asid(next, next_tlb_gen, &new_asid, &need_flush); load_new_mm_cr3(need_flush); // ^ After 'need_flush' is set to false, IPIs *MUST* // be sent to this CPU and not be ignored. this_cpu_write(cpu_tlbstate.loaded_mm, next); // ^ Not until this point does should_flush_tlb() // become true! should_flush_tlb() will suppress TLB flushes between load_new_mm_cr3() and writing to 'loaded_mm', which is a window where they should not be suppressed. Whoops. === Solution === Thankfully, the fuzzy "just about to write CR3" window is already marked with loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in should_flush_tlb() is sufficient to ensure that the CPU is targeted with an IPI. This will cause more TLB flush IPIs. But the window is relatively small and I do not expect this to cause any kind of measurable performance impact. Update the comment where LOADED_MM_SWITCHING is written since it grew yet another user. Peter Z also raised a concern that should_flush_tlb() might not observe 'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off() writes them. Add a barrier to ensure that they are observed in the order they are written.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: Input: mtk-pmic-keys - fix possible null pointer dereference In mtk_pmic_keys_probe, the regs parameter is only set if the button is parsed in the device tree. However, on hardware where the button is left floating, that node will most likely be removed not to enable that input. In that case the code will try to dereference a null pointer. Let's use the regs struct instead as it is defined for all supported platforms. Note that it is ok setting the key reg even if that latter is disabled as the interrupt won't be enabled anyway.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: block: fix resource leak in blk_register_queue() error path When registering a queue fails after blk_mq_sysfs_register() is successful but the function later encounters an error, we need to clean up the blk_mq_sysfs resources. Add the missing blk_mq_sysfs_unregister() call in the error path to properly clean up these resources and prevent a memory leak.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: clear the dst when changing skb protocol A not-so-careful NAT46 BPF program can crash the kernel if it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000 ip6_rcv_core (net/ipv6/ip6_input.c:190:20) ipv6_rcv (net/ipv6/ip6_input.c:306:8) process_backlog (net/core/dev.c:6186:4) napi_poll (net/core/dev.c:6906:9) net_rx_action (net/core/dev.c:7028:13) do_softirq (kernel/softirq.c:462:3) netif_rx (net/core/dev.c:5326:3) dev_loopback_xmit (net/core/dev.c:4015:2) ip_mc_finish_output (net/ipv4/ip_output.c:363:8) NF_HOOK (./include/linux/netfilter.h:314:9) ip_mc_output (net/ipv4/ip_output.c:400:5) dst_output (./include/net/dst.h:459:9) ip_local_out (net/ipv4/ip_output.c:130:9) ip_send_skb (net/ipv4/ip_output.c:1496:8) udp_send_skb (net/ipv4/udp.c:1040:8) udp_sendmsg (net/ipv4/udp.c:1328:10) The output interface has a 4->6 program attached at ingress. We try to loop the multicast skb back to the sending socket. Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr and changes skb->protocol to v6. We enter ip6_rcv_core which tries to use skb_dst(). But the dst is still an IPv4 one left after IPv4 mcast output. Clear the dst in all BPF helpers which change the protocol. Try to preserve metadata dsts, those may carry non-routing metadata.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX")
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix race between nfsd registration and exports_proc As of now nfsd calls create_proc_exports_entry() at start of init_nfsd and cleanup by remove_proc_entry() at last of exit_nfsd. Which causes kernel OOPs if there is race between below 2 operations: (i) exportfs -r (ii) mount -t nfsd none /proc/fs/nfsd for 5.4 kernel ARM64: CPU 1: el1_irq+0xbc/0x180 arch_counter_get_cntvct+0x14/0x18 running_clock+0xc/0x18 preempt_count_add+0x88/0x110 prep_new_page+0xb0/0x220 get_page_from_freelist+0x2d8/0x1778 __alloc_pages_nodemask+0x15c/0xef0 __vmalloc_node_range+0x28c/0x478 __vmalloc_node_flags_caller+0x8c/0xb0 kvmalloc_node+0x88/0xe0 nfsd_init_net+0x6c/0x108 [nfsd] ops_init+0x44/0x170 register_pernet_operations+0x114/0x270 register_pernet_subsys+0x34/0x50 init_nfsd+0xa8/0x718 [nfsd] do_one_initcall+0x54/0x2e0 CPU 2 : Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 PC is at : exports_net_open+0x50/0x68 [nfsd] Call trace: exports_net_open+0x50/0x68 [nfsd] exports_proc_open+0x2c/0x38 [nfsd] proc_reg_open+0xb8/0x198 do_dentry_open+0x1c4/0x418 vfs_open+0x38/0x48 path_openat+0x28c/0xf18 do_filp_open+0x70/0xe8 do_sys_open+0x154/0x248 Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). and same is happening on latest 6.14 kernel as well: [ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty ... [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 ... [ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 ... [ 285.469695] Call trace: [ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) [ 285.470488] seq_read+0xe0/0x11c [ 285.470675] proc_reg_read+0x9c/0xf0 [ 285.470874] vfs_read+0xc4/0x2fc [ 285.471057] ksys_read+0x6c/0xf4 [ 285.471231] __arm64_sys_read+0x1c/0x28 [ 285.471428] invoke_syscall+0x44/0x100 [ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 [ 285.471870] do_el0_svc_compat+0x1c/0x34 [ 285.472073] el0_svc_compat+0x2c/0x80 [ 285.472265] el0t_32_sync_handler+0x90/0x140 [ 285.472473] el0t_32_sync+0x19c/0x1a0 [ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) [ 285.473422] ---[ end trace 0000000000000000 ]--- It reproduced simply with below script: while [ 1 ] do /exportfs -r done & while [ 1 ] do insmod /nfsd.ko mount -t nfsd none /proc/fs/nfsd umount /proc/fs/nfsd rmmod nfsd done & So exporting interfaces to user space shall be done at last and cleanup at first place. With change there is no Kernel OOPs.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not assign this CPU's rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and rdp's->rdp_gp->nocb_gp_kthread is still valid. This will cause the subsequent re-offload operation of this offline CPU, which will pass the conditional check and the kthread_unpark() will access invalid rdp's->nocb_cb_kthread pointer. This commit therefore use rdp's->nocb_gp_kthread instead of rdp_gp's->nocb_gp_kthread for safety check.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps prevents cnet->count from dropping back to 0. This will then block the netns dismantle (or conntrack rmmod) as nf_conntrack_cleanup_net_list() will wait forever. This can be reproduced by running conntrack_resize.sh selftest in a loop. It takes ~20 minutes for me on a preemptible kernel on average before I see a runaway kworker spinning in nf_conntrack_cleanup_net_list. One fix would to change this to: if (res < 0) { if (ct != last) nf_conntrack_get(&ct->ct_general); But this reference counting isn't needed in the first place. We can just store a cookie value instead. A followup patch will do the same for ctnetlink_exp_dump_table, it looks to me as if this has the same problem and like ctnetlink_dump_table, we only need a 'skip hint', not the actual object so we can apply the same cookie strategy there as well.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phydev->drv for non-main phy devices. Then NULL pointer dereference issue will occur. Due to only external phy or internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud the issue.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: <IRQ> dump_stack lib/dump_stack.c:120 nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 update_process_times kernel/time/timer.c:1953 tick_sched_handle kernel/time/tick-sched.c:227 tick_sched_timer kernel/time/tick-sched.c:1399 __hrtimer_run_queues kernel/time/hrtimer.c:1652 hrtimer_interrupt kernel/time/hrtimer.c:1717 __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 </IRQ> netlink_attachskb net/netlink/af_netlink.c:1234 netlink_unicast net/netlink/af_netlink.c:1349 kauditd_send_queue kernel/audit.c:776 kauditd_thread kernel/audit.c:897 kthread kernel/kthread.c:328 ret_from_fork arch/x86/entry/entry_64.S:304 Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code. Found by Linux Verification Center (linuxtesting.org).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Call Trace: nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline] .. This is because blamed commit forgot about loopback packets. Such packets already have a dst_entry attached, even at PRE_ROUTING stage. Instead of checking hook just check if the skb already has a route attached to it.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations. Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale. Add the missing resctrl_cpu_detect() in the Hygon BSP init helper. [ bp: Massage commit message. ]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer wait_on_buffer(bh);--> return will return to caller put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun. If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-specific driver (e.g., qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains loaded. Since the driver uses a shared workqueue (`qat_misc_wq`) across all devices and owned by intel_qat.ko, a deferred routine from the device-specific driver may still be pending in the queue. If this routine executes after the driver is unloaded, it can dereference freed memory, resulting in a page fault and kernel crash like the following: BUG: unable to handle page fault for address: ffa000002e50a01c #PF: supervisor read access in kernel mode RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] Call Trace: pm_bh_handler+0x1d2/0x250 [intel_qat] process_one_work+0x171/0x340 worker_thread+0x277/0x3a0 kthread+0xf0/0x120 ret_from_fork+0x2d/0x50 To prevent this, flush the misc workqueue during device shutdown to ensure that all pending work items are completed before the driver is unloaded. Note: This approach may slightly increase shutdown latency if the workqueue contains jobs from other devices, but it ensures correctness and stability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpf_get_netns_cookie 1: if r0 == 0 goto <exit> 2: if r0 & Oxffffffff goto <exit> The issue is on the path where we fall through both jumps. That path is unreachable at runtime: after insn 1, we know r0 != 0, but with the sign extension on the jset, we would only fallthrough insn 2 if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to figure this out, so the verifier walks all branches. The verifier then refines the register bounds using the second condition and we end up with inconsistent bounds on this unreachable path: 1: if r0 == 0 goto <exit> r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) 2: if r0 & 0xffffffff goto <exit> r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) Improving the range refinement for JSET to cover all cases is tricky. We also don't expect many users to rely on JSET given LLVM doesn't generate those instructions. So instead of improving the range refinement for JSETs, Eduard suggested we forget the ranges whenever we're narrowing tnums after a JSET. This patch implements that approach.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 This happens because kvmalloc_array() and kvmalloc() check if the requested size exceeds INT_MAX and emit a warning when the allocation is not flagged with __GFP_NOWARN. Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a process calls dup2(oldfd, 1073741880), the kernel attempts to allocate: - File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes - Multiple bitmaps: ~400MB - Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647) Reproducer: 1. Set /proc/sys/fs/nr_open to 1073741816: # echo 1073741816 > /proc/sys/fs/nr_open 2. Run a program that uses a high file descriptor: #include <unistd.h> #include <sys/resource.h> int main() { struct rlimit rlim = {1073741824, 1073741824}; setrlimit(RLIMIT_NOFILE, &rlim); dup2(2, 1073741880); // Triggers the warning return 0; } 3. Observe WARNING in dmesg at mm/slub.c:5027 systemd commit a8b627a introduced automatic bumping of fs.nr_open to the maximum possible value. The rationale was that systems with memory control groups (memcg) no longer need separate file descriptor limits since memory is properly accounted. However, this change overlooked that: 1. The kernel's allocation functions still enforce INT_MAX as a maximum size regardless of memcg accounting 2. Programs and tests that legitimately test file descriptor limits can inadvertently trigger massive allocations 3. The resulting allocations (>8GB) are impractical and will always fail systemd's algorithm starts with INT_MAX and keeps halving the value until the kernel accepts it. On most systems, this results in nr_open being set to 1073741816 (0x3ffffff8), which is just under 1GB of file descriptors. While processes rarely use file descriptors near this limit in normal operation, certain selftests (like tools/testing/selftests/core/unshare_test.c) and programs that test file descriptor limits can trigger this issue. Fix this by adding a check in alloc_fdtable() to ensure the requested allocation size does not exceed INT_MAX. This causes the operation to fail with -EMFILE instead of triggering a kernel warning and avoids the impractical >8GB memory allocation request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack dumper, when we do if (!refcount_inc_not_zero(&exp->use)) to increment the refcount, there is a chance that exp == last, which causes a double-increment of the refcount and subsequent memory leak.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers. The current GSO logic violates this contract by failing to disable the feature for packets with extension headers, such as those used in GREoIPv6 tunnels. This violation results in the device being asked to perform an operation it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse of network throughput. While device TSO/USO is correctly bypassed in favor of software GSO for these packets, the GSO stack must be explicitly told not to request checksum offload. Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4 in gso_features_check if the IPv6 header contains extension headers to compute checksum in software. The exception is a BIG TCP extension, which, as stated in commit 68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"): "The feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices." kernel log output (truncated): WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140 ... Call Trace: <TASK> skb_checksum_help+0x12a/0x1f0 validate_xmit_skb+0x1a3/0x2d0 validate_xmit_skb_list+0x4f/0x80 sch_direct_xmit+0x1a2/0x380 __dev_xmit_skb+0x242/0x670 __dev_queue_xmit+0x3fc/0x7f0 ip6_finish_output2+0x25e/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel] ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre] dev_hard_start_xmit+0x63/0x1c0 __dev_queue_xmit+0x6d0/0x7f0 ip6_finish_output2+0x214/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 inet6_csk_xmit+0xeb/0x150 __tcp_transmit_skb+0x555/0xa80 tcp_write_xmit+0x32a/0xe90 tcp_sendmsg_locked+0x437/0x1110 tcp_sendmsg+0x2f/0x50 ... skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00 skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00 skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00 skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00 skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00 skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9 skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01 skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: <IRQ> __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 </IRQ> This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the combined time spent waiting and processing can be significant. jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when need_resched() is true to avoid softlockups during prolonged operations. But jbd2_log_do_checkpoint() only exits its loop when need_resched() is true, relying on potentially sleeping functions like __flush_batch() or wait_on_buffer() to trigger rescheduling. If those functions do not sleep, the kernel may hit a softlockup. watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 Workqueue: writeback wb_workfn (flush-7:2) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : native_queued_spin_lock_slowpath+0x358/0x418 lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] Call trace: native_queued_spin_lock_slowpath+0x358/0x418 jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] add_transaction_credits+0x3bc/0x418 [jbd2] start_this_handle+0xf8/0x560 [jbd2] jbd2__journal_start+0x118/0x228 [jbd2] __ext4_journal_start_sb+0x110/0x188 [ext4] ext4_do_writepages+0x3dc/0x740 [ext4] ext4_writepages+0xa4/0x190 [ext4] do_writepages+0x94/0x228 __writeback_single_inode+0x48/0x318 writeback_sb_inodes+0x204/0x590 __writeback_inodes_wb+0x54/0xf8 wb_writeback+0x2cc/0x3d8 wb_do_writeback+0x2e0/0x2f8 wb_workfn+0x80/0x2a8 process_one_work+0x178/0x3e8 worker_thread+0x234/0x3b8 kthread+0xf0/0x108 ret_from_fork+0x10/0x20 So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid softlockup.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value. However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int which holds chunk_sectors, so change the check to be based on sectors.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues. This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace: <TASK> idxd_remove+0xe4/0x120 [idxd] pci_device_remove+0x3f/0xb0 device_release_driver_internal+0x197/0x200 driver_detach+0x48/0x90 bus_remove_driver+0x74/0xf0 pci_unregister_driver+0x2e/0xb0 idxd_exit_module+0x34/0x7a0 [idxd] __do_sys_delete_module.constprop.0+0x183/0x280 do_syscall_64+0x54/0xd70 entry_SYSCALL_64_after_hwframe+0x76/0x7e The idxd_unregister_devices() which is invoked at the very beginning of idxd_remove(), already takes care of the necessary put_device() through the following call path: idxd_unregister_devices() -> device_unregister() -> put_device() In addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may trigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is called immediately after, it can result in a use-after-free. Remove the improper idxd_free() to avoid both the refcount underflow and potential memory corruption during module unload.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set merge to zero early in af_alg_sendmsg If an error causes af_alg_sendmsg to abort, ctx->merge may contain a garbage value from the previous loop. This may then trigger a crash on the next entry into af_alg_sendmsg when it attempts to do a merge that can't be done. Fix this by setting ctx->merge to zero near the start of the loop.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: cgroup: split cgroup_destroy_wq into 3 workqueues A hung task can occur during [1] LTP cgroup testing when repeatedly mounting/unmounting perf_event and net_prio controllers with systemd.unified_cgroup_hierarchy=1. The hang manifests in cgroup_lock_and_drain_offline() during root destruction. Related case: cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio Call Trace: cgroup_lock_and_drain_offline+0x14c/0x1e8 cgroup_destroy_root+0x3c/0x2c0 css_free_rwork_fn+0x248/0x338 process_one_work+0x16c/0x3b8 worker_thread+0x22c/0x3b0 kthread+0xec/0x100 ret_from_fork+0x10/0x20 Root Cause: CPU0 CPU1 mount perf_event umount net_prio cgroup1_get_tree cgroup_kill_sb rebind_subsystems // root destruction enqueues // cgroup_destroy_wq // kill all perf_event css // one perf_event css A is dying // css A offline enqueues cgroup_destroy_wq // root destruction will be executed first css_free_rwork_fn cgroup_destroy_root cgroup_lock_and_drain_offline // some perf descendants are dying // cgroup_destroy_wq max_active = 1 // waiting for css A to die Problem scenario: 1. CPU0 mounts perf_event (rebind_subsystems) 2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work 3. A dying perf_event CSS gets queued for offline after root destruction 4. Root destruction waits for offline completion, but offline work is blocked behind root destruction in cgroup_destroy_wq (max_active=1) Solution: Split cgroup_destroy_wq into three dedicated workqueues: cgroup_offline_wq – Handles CSS offline operations cgroup_release_wq – Manages resource release cgroup_free_wq – Performs final memory deallocation This separation eliminates blocking in the CSS free path while waiting for offline operations to complete. [1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk in the TCP_ESTABLISHED state. [0] syzbot reused the server-side TCP Fast Open socket as a new client before the TFO socket completes 3WHS: 1. accept() 2. connect(AF_UNSPEC) 3. connect() to another destination As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes it to TCP_CLOSE and makes connect() possible, which restarts timers. Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the retransmit timer triggered the warning and the intended packet was not retransmitted. Let's call reqsk_fastopen_remove() in tcp_disconnect(). [0]: WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) Modules linked in: CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 Call Trace: <IRQ> tcp_write_timer (net/ipv4/tcp_timer.c:738) call_timer_fn (kernel/time/timer.c:1747) __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) tmigr_handle_remote (kernel/time/timer_migration.c:1096) handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) </IRQ>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops. And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops. However, as long as no routes are pointing to a non-FDB nexthop group, the kernel allows changing the type of a nexthop from FDB to non-FDB and vice versa: # ip nexthop add id 5 via 192.0.2.2 dev dummy1 # ip nexthop add id 6 group 5 # ip nexthop replace id 5 via 192.0.2.2 fdb # echo $? 0 This configuration is invalid and can result in a NPD [1] since FDB nexthops are not associated with a nexthop device: # ip route add 198.51.100.1/32 nhid 6 # ping 198.51.100.1 Fix by preventing nexthop FDB status change while the nexthop is in a group: # ip nexthop add id 7 via 192.0.2.2 dev dummy1 # ip nexthop add id 8 group 7 # ip nexthop replace id 7 via 192.0.2.2 fdb Error: Cannot change nexthop FDB status while in a group. [1] BUG: kernel NULL pointer dereference, address: 00000000000003c0 [...] Oops: Oops: 0000 [#1] SMP CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014 RIP: 0010:fib_lookup_good_nhc+0x1e/0x80 [...] Call Trace: <TASK> fib_table_lookup+0x541/0x650 ip_route_output_key_hash_rcu+0x2ea/0x970 ip_route_output_key_hash+0x55/0x80 __ip4_datagram_connect+0x250/0x330 udp_connect+0x2b/0x60 __sys_connect+0x9c/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0xa4/0x2a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callback the release function, the below warning may happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: <TASK> kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Before commit c79a39dc8d06 ("pps: Fix a use-after-free"), pps_register_cdev() call device_create() to create pps->dev, which will init dev->release to device_create_release(). Now the comment is outdated, just remove it. Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed in pps_register_source() to avoid a double free in the failure case.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit padding of 4 bytes, right after msg_src_ip4. Access to this padding isn't rejected in sock_addr_is_valid_access and it thus later fails to convert the access. This patch fixes it by explicitly checking the various fields of bpf_sock_addr in sock_addr_is_valid_access. I checked the other ctx structures and is_valid_access functions and didn't find any other similar cases. Other cases of (properly handled) padding are covered in new tests in a subsequent patch.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nbd: restrict sockets to TCP and UDP Recently, syzbot started to abuse NBD with all kinds of sockets. Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method. Explicitely accept TCP and UNIX stream sockets.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). get_netdev_for_sock() is called during setsockopt(), so not under RCU. Using sk_dst_get(sk)->dev could trigger UAF. Let's use __sk_dst_get() and dst_dev_rcu(). Note that the only ->ndo_sk_get_lower_dev() user is bond_sk_get_lower_dev(), which uses RCU.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Fix race between SR-IOV enable/disable and hotplug Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_del_vfs() and concurrent hot unplug by taking the PCI rescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock was also taken in sriov_add_vfs() to protect addition of VFs. This approach however causes deadlock on trying to remove PFs with SR-IOV enabled because PFs disable SR-IOV during removal and this removal happens under the PCI rescan/remove lock. So the original fix had to be reverted. Instead of taking the PCI rescan/remove lock in sriov_add_vfs() and sriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs hotplug higher up in the callchain by taking the lock in sriov_numvfs_store() before calling into the driver's sriov_configure() callback.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur: [ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ------------[ cut here ]------------ [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] <TASK> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915] </TASK>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)
CWE-159 - Improper Handling of Invalid Use of Special Elements| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
CWE-158 - Improper Neutralization of Null Byte or NUL Character| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). Without i_data_sem protection, ext4_ind_map_blocks() may receive inode with EXT4_INODE_EXTENTS flag and triggering assert. kernel BUG at fs/ext4/indirect.c:546! EXT4-fs (loop2): unmounting filesystem. invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 Call Trace: <TASK> ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2271 [inline] do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:950 splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline_data() to work with stale capacity values, leading to a BUG_ON() crash in ext4_write_inline_data(): kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); The race window: 1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) 2. Size check passes for 50-byte write 3. [Another thread adds xattr, i_inline_size changes to 40] 4. ext4_write_lock_xattr() acquires lock 5. ext4_update_inline_data() uses stale i_inline_size = 60 6. Attempts to write 50 bytes but only 40 bytes actually available 7. BUG_ON() triggers Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() and ext4_create_inline_data() work with current values that are protected from concurrent modifications. This is similar to commit a54c4613dac1 ("ext4: fix race writing to an inline_data file while its xattrs are changing") which fixed i_inline_off staleness. This patch addresses the related i_inline_size staleness issue.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: <TASK> dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 </TASK>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits) are initialized with 0. Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk. Also, verify that the value of the "attributes" field loaded from disk is either BFS_VREG or BFS_VDIR (because BFS supports only regular files and the root directory).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Let's apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc90003017640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028 R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:281 [inline] __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793 mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253 mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776 mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3bd/0x520 net/socket.c:2244 __do_sys_sendto net/socket.c:2251 [inline] __se_sys_sendto net/socket.c:2247 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2247 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66e998f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006 </TASK>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 Call Trace: <TASK> __ext4_journal_get_create_access+0x42/0x170 ext4_getblk+0x319/0x6f0 ext4_bread+0x11/0x100 ext4_append+0x1e6/0x4a0 ext4_init_new_dir+0x145/0x1d0 ext4_mkdir+0x326/0x920 vfs_mkdir+0x45c/0x740 do_mkdirat+0x234/0x2f0 __x64_sys_mkdir+0xd6/0x120 do_syscall_64+0x5f/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue occurs with us in errors=continue mode when accompanied by storage failures. There have been many inconsistencies in the file system data. In the case of file system data inconsistency, for example, if the block bitmap of a referenced block is not set, it can lead to the situation where a block being committed is allocated and used again. As a result, the following condition will not be satisfied then trigger BUG_ON. Of course, it is entirely possible to construct a problematic image that can trigger this BUG_ON through specific operations. In fact, I have constructed such an image and easily reproduced this issue. Therefore, J_ASSERT() holds true only under ideal conditions, but it may not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() directly in abnormal situations would cause the system to crash, which is clearly not what we want. So here we directly trigger a JBD abort instead of immediately invoking BUG_ON.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program - triggered via BPF test infra - pushes the packet to the loopback device via bpf_clone_redirect() then mentioned offload warning can be seen. GSO-related features are then rightfully disabled. We get into this situation due to convert___skb_to_skb() setting gso_segs and gso_size but not gso_type. Technically, it makes sense that this warning triggers since the GSO properties are malformed due to the gso_type. Potentially, the gso_type could be marked non-trustworthy through setting it at least to SKB_GSO_DODGY without any other specific assumptions, but that also feels wrong given we should not go further into the GSO engine in the first place. The checks were added in 121d57af308d ("gso: validate gso_type in GSO handlers") because there were malicious (syzbot) senders that combine a protocol with a non-matching gso_type. If we would want to drop such packets, gso_features_check() currently only returns feature flags via netif_skb_features(), so one location for potentially dropping such skbs could be validate_xmit_unreadable_skb(), but then otoh it would be an additional check in the fast-path for a very corner case. Given bpf_clone_redirect() is the only place where BPF test infra could emit such packets, lets reject them right there.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags When a filesystem is being automounted, it needs to preserve the user-set superblock mount options, such as the "ro" flag.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ>
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "<BAD>" under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state. 2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") fixed the leak in a couple of error paths but the reference is still leaking on successful allocation.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with 'size + 1' bytes and a NUL terminator is appended. However, the 'size' argument does not account for this extra byte. The original code then allocated 'size' bytes and used strcpy() to copy 'buf', which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index 'size'. Fix this by parsing the 'buf' parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an attribute header indicates an empty run list, while directory entries reference it as containing actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way to represent an empty run list, and run_unpack() correctly handles this by checking if evcn + 1 equals svcn and returning early without parsing any run data. However, this creates a problem when there is metadata inconsistency, where the attribute header claims to be empty (evcn=-1) but the caller expects to read actual data. When run_unpack() immediately returns success upon seeing this condition, it leaves the runs_tree uninitialized with run->runs as a NULL. The calling function attr_load_runs_range() assumes that a successful return means that the runs were loaded and sets clen to 0, expecting the next run_lookup_entry() call to succeed. Because runs_tree remains uninitialized, run_lookup_entry() continues to fail, and the loop increments vcn by zero (vcn += 0), leading to an infinite loop. This patch adds a retry counter to detect when run_lookup_entry() fails consecutively after attr_load_runs_vcn(). If the run is still not found on the second attempt, it indicates corrupted metadata and returns -EINVAL, preventing the Denial-of-Service (DoS) vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 filesystem can cause the kernel to hang during the lookup operations. By setting the HAS_SUB_NODE flag in an INDEX_ENTRY within a directory's INDEX_ALLOCATION block and manipulating the VCN pointer, an attacker can cause the indx_find() function to repeatedly read the same block, allocating 4 KB of memory each time. The kernel lacks VCN loop detection and depth limits, causing memory exhaustion and an OOM crash. This patch adds a return value check for fnd_push() to prevent a memory exhaustion vulnerability caused by infinite loops. When the index exceeds the size of the fnd->nodes array, fnd_push() returns -EINVAL. The indx_find() function checks this return value and stops processing, preventing further memory allocation.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute indicates a zero data size while the driver allocates memory for it. When ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, it still allocates memory because of al_aligned(0). This creates an inconsistent state where ni->attr_list.size is zero, but ni->attr_list.le is non-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute list exists and enumerates only the primary MFT record. When it finds ATTR_LIST, the code reloads it and restarts the enumeration, repeating indefinitely. The mount operation never completes, hanging the kernel thread. This patch adds validation to ensure that data_size is non-zero before memory allocation. When a zero-sized ATTR_LIST is detected, the function returns -EINVAL, preventing a DoS vulnerability.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation fails. Add a check for a NULL devlink pointer and return NULL early to avoid the crash.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: fou: Don't allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu(). Let's forbid 0 for FOU_ATTR_IPPROTO.
CWE-20 - Improper Input Validation| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function. However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer. To resolve this issue, it is necessary to pass the address of a stub variable to the function.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host's own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer's advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. - The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the "remote window intersected with local policy" behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for "resubmit" in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let's drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm "syz.0.17", pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)", v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees "fairly" easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that's all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn't convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as "private" although they are "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it's highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop Currently this is checked before running the pending work. Normally this is quite fine, as work items either end up blocking (which will create a new worker for other items), or they complete fairly quickly. But syzbot reports an issue where io-wq takes seemingly forever to exit, and with a bit of debugging, this turns out to be because it queues a bunch of big (2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn't support ->read_iter(), loop_rw_iter() ends up handling them. Each read returns 16MB of data read, which takes 20 (!!) seconds. With a bunch of these pending, processing the whole chain can take a long time. Easily longer than the syzbot uninterruptible sleep timeout of 140 seconds. This then triggers a complaint off the io-wq exit path: INFO: task syz.4.135:6326 blocked for more than 143 seconds. Not tainted syzkaller #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000 Call Trace: <TASK> context_switch kernel/sched/core.c:5256 [inline] __schedule+0x1139/0x6150 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0xe7/0x3a0 kernel/sched/core.c:6960 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75 do_wait_for_common kernel/sched/completion.c:100 [inline] __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121 io_wq_exit_workers io_uring/io-wq.c:1328 [inline] io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356 io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203 io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651 io_uring_files_cancel include/linux/io_uring.h:19 [inline] do_exit+0x2ce/0x2bd0 kernel/exit.c:911 do_group_exit+0xd3/0x2a0 kernel/exit.c:1112 get_signal+0x2671/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa02738f749 RSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098 RBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98 There's really nothing wrong here, outside of processing these reads will take a LONG time. However, we can speed up the exit by checking the IO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will exit the ring after queueing up all of these reads. Then once the first item is processed, io-wq will simply cancel the rest. That should avoid syzbot running into this complaint again.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwarding fraglist GRO This patch enhances GSO segment handling by properly checking the SKB_GSO_DODGY flag for frag_list GSO packets, addressing low throughput issues observed when a station accesses IPv4 servers via hotspots with an IPv6-only upstream interface. Specifically, it fixes a bug in GSO segmentation when forwarding GRO packets containing a frag_list. The function skb_segment_list cannot correctly process GRO skbs that have been converted by XLAT, since XLAT only translates the header of the head skb. Consequently, skbs in the frag_list may remain untranslated, resulting in protocol inconsistencies and reduced throughput. To address this, the patch explicitly sets the SKB_GSO_DODGY flag for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers (bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO packets as potentially modified after protocol translation. As a result, GSO segmentation will avoid using skb_segment_list and instead falls back to skb_segment for packets with the SKB_GSO_DODGY flag. This ensures that only safe and fully translated frag_list packets are processed by skb_segment_list, resolving protocol inconsistencies and improving throughput when forwarding GRO packets converted by XLAT.
CWE-237 - Improper Handling of Structural Elements| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro fooling u32_classify(): BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 net/sched/cls_u32.c:221
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len can become negative and reach ib_create_send_mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc_send_rmpp_list(). Add an explicit check to reject negative data_len before creating the send buffer. KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102 [ 211.365867] ib_create_send_mad+0xa01/0x11b0 [ 211.365887] ib_umad_write+0x853/0x1c80
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev). We must respect an RCU period, either in macvlan or the core networking stack. After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the race window, valis repro was: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source (ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4 PING 1.2.3.4 (1.2.3.4): 56 data bytes RTNETLINK answers: Invalid argument BUG: KASAN: slab-use-after-free in macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) Read of size 8 at addr ffff888016bb89c0 by task e/175 CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) kasan_report (mm/kasan/report.c:597) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) ? tasklet_init (kernel/softirq.c:983) macvlan_handle_frame (drivers/net/macvlan.c:501) Allocated by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) __kasan_kmalloc (mm/kasan/common.c:419) __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657 mm/slub.c:7140) alloc_netdev_mqs (net/core/dev.c:12012) rtnl_create_link (net/core/rtnetlink.c:3648) rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Freed by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_free_info (mm/kasan/generic.c:587) __kasan_slab_free (mm/kasan/common.c:287) kfree (mm/slub.c:6674 mm/slub.c:6882) rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Reset eBPF program pointer to old_prog and do not decrease its ref-count if mtk_open routine in mtk_xdp_setup() fails.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting PLIC ignores interrupt completion message for disabled interrupt, explained by the specification: The PLIC signals it has completed executing an interrupt handler by writing the interrupt ID it received from the claim to the claim/complete register. The PLIC does not check whether the completion ID is the same as the last claim ID for that target. If the completion ID does not match an interrupt source that is currently enabled for the target, the completion is silently ignored. This caused problems in the past, because an interrupt can be disabled while still being handled and plic_irq_eoi() had no effect. That was fixed by checking if the interrupt is disabled, and if so enable it, before sending the completion message. That check is done with irqd_irq_disabled(). However, that is not sufficient because the enable bit for the handling hart can be zero despite irqd_irq_disabled(d) being false. This can happen when affinity setting is changed while a hart is still handling the interrupt. This problem is easily reproducible by dumping a large file to uart (which generates lots of interrupts) and at the same time keep changing the uart interrupt's affinity setting. The uart port becomes frozen almost instantaneously. Fix this by checking PLIC's enable bit instead of irqd_irq_disabled().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If an IPv6 packet is injected into the interface, route_shortcircuit() is called and a NULL pointer dereference happens on neigh_lookup(). BUG: kernel NULL pointer dereference, address: 0000000000000380 Oops: Oops: 0000 [#1] SMP NOPTI [...] RIP: 0010:neigh_lookup+0x20/0x270 [...] Call Trace: <TASK> vxlan_xmit+0x638/0x1ef0 [vxlan] dev_hard_start_xmit+0x9e/0x2e0 __dev_queue_xmit+0xbee/0x14e0 packet_sendmsg+0x116f/0x1930 __sys_sendto+0x1f5/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x12f/0x1590 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by adding an early check on route_shortcircuit() when protocol is ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because VXLAN can be built-in even when IPv6 is built as a module.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassifies it as a reject route. This is because nexthop objects have no destination prefix (fc_dst=::), causing fib6_is_reject() to match any loopback nexthop. The reject path skips fib_nh_common_init(), leaving nhc_pcpu_rth_output unallocated. If an IPv4 route later references this nexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and panics. Simplify the check in fib6_nh_init() to only match explicit reject routes (RTF_REJECT) instead of using fib6_is_reject(). The loopback promotion heuristic in fib6_is_reject() is handled separately by ip6_route_info_create_nh(). After this change, the three cases behave as follows: 1. Explicit reject route ("ip -6 route add unreachable 2001:db8::/64"): RTF_REJECT is set, enters reject path, skips fib_nh_common_init(). No behavior change. 2. Implicit loopback reject route ("ip -6 route add 2001:db8::/32 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. ip6_route_info_create_nh() still promotes it to reject afterward. nhc_pcpu_rth_output is allocated but unused, which is harmless. 3. Standalone nexthop object ("ip -6 nexthop add id 100 dev lo"): RTF_REJECT is not set, takes normal path, fib_nh_common_init() is called. nhc_pcpu_rth_output is properly allocated, fixing the crash when IPv4 routes reference this nexthop.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to loopback in ip6_rt_pcpu_alloc() -> ip6_rt_get_dev_rcu() with commit 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address"). KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418) Call Trace: ip6_pol_route (net/ipv6/route.c:2318) fib6_rule_lookup (net/ipv6/fib6_rules.c:115) ip6_route_output_flags (net/ipv6/route.c:2607) vrf_process_v6_outbound (drivers/net/vrf.c:437) I was tempted to rework the un-slaving code to clear the flag first and insert synchronize_rcu() before we remove the upper. But looks like the explicit fallback to loopback_dev is an established pattern. And I guess avoiding the synchronize_rcu() is nice, too.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961 WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961 Modules linked in: CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full) Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline] RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline] RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210 Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 <0f> 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a RSP: 0018:ffffc90001663880 EFLAGS: 00010293 RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640 R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650 FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0 Call Trace: <TASK> genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:742 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592 ___sys_sendmsg+0x2de/0x320 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66346f826d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8 R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770 </TASK> The actions that caused that seem to be: - Set the MPTCP subflows limit to 0 - Create an MPTCP endpoint with both the 'signal' and 'subflow' flags - Create a new MPTCP connection from a different address: an ADD_ADDR linked to the MPTCP endpoint will be sent ('signal' flag), but no subflows is initiated ('subflow' flag) - Remove the MPTCP endpoint ---truncated---
CWE-911 - Improper Update of Reference Count| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK }; rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata(). The reserved members of the structure were not zeroed.
CWE-908 - Use of Uninitialized Resource| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_increase_tail(), clearly expects a truesize. Such difference leads to unspecific memory corruption issues under certain circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when running xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses all DMA-writable space in 2 buffers. This would be fine, if only rxq->frag_size was properly set to 4K, but value of 3K results in a negative tailroom, because there is a non-zero page offset. We are supposed to return -EINVAL and be done with it in such case, but due to tailroom being stored as an unsigned int, it is reported to be somewhere near UINT_MAX, resulting in a tail being grown, even if the requested offset is too much (it is around 2K in the abovementioned test). This later leads to all kinds of unspecific calltraces. [ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6 [ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4 [ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000] [ 7340.339230] in xskxceiver[42b5,400000+69000] [ 7340.340300] likely on CPU 6 (core 0, socket 6) [ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe [ 7340.340888] likely on CPU 3 (core 0, socket 3) [ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7 [ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI [ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy) [ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 [ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80 [ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89 [ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202 [ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010 [ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff [ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0 [ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0 [ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500 [ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000 [ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0 [ 7340.421237] PKRU: 55555554 [ 7340.421623] Call Trace: [ 7340.421987] <TASK> [ 7340.422309] ? softleaf_from_pte+0x77/0xa0 [ 7340.422855] swap_pte_batch+0xa7/0x290 [ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270 [ 7340.424102] zap_pte_range+0x281/0x580 [ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240 [ 7340.425177] unmap_page_range+0x24d/0x420 [ 7340.425714] unmap_vmas+0xa1/0x180 [ 7340.426185] exit_mmap+0xe1/0x3b0 [ 7340.426644] __mmput+0x41/0x150 [ 7340.427098] exit_mm+0xb1/0x110 [ 7340.427539] do_exit+0x1b2/0x460 [ 7340.427992] do_group_exit+0x2d/0xc0 [ 7340.428477] get_signal+0x79d/0x7e0 [ 7340.428957] arch_do_signal_or_restart+0x34/0x100 [ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0 [ 7340.430159] do_syscall_64+0x188/ ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: usb: kalmia: validate USB endpoints The kalmia driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these endpoints.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled: [ 1362.049207] [<8054e4b8>] led_trigger_register+0x5c/0x1fc <-- Trying to get lock "triggers_list_lock" via down_write(&triggers_list_lock); [ 1362.054536] [<80662830>] phy_led_triggers_register+0xd0/0x234 [ 1362.060329] [<8065e200>] phy_attach_direct+0x33c/0x40c [ 1362.065489] [<80651fc4>] phylink_fwnode_phy_connect+0x15c/0x23c [ 1362.071480] [<8066ee18>] mtk_open+0x7c/0xba0 [ 1362.075849] [<806d714c>] __dev_open+0x280/0x2b0 [ 1362.080384] [<806d7668>] __dev_change_flags+0x244/0x24c [ 1362.085598] [<806d7698>] dev_change_flags+0x28/0x78 [ 1362.090528] [<807150e4>] dev_ioctl+0x4c0/0x654 <-- Hold lock "rtnl_mutex" by calling rtnl_lock(); [ 1362.094985] [<80694360>] sock_ioctl+0x2f4/0x4e0 [ 1362.099567] [<802e9c4c>] sys_ioctl+0x32c/0xd8c [ 1362.104022] [<80014504>] syscall_common+0x34/0x58 Here LED_TRIGGER_PHY is registering LED triggers during phy_attach while holding RTNL and then taking triggers_list_lock. [ 1362.191101] [<806c2640>] register_netdevice_notifier+0x60/0x168 <-- Trying to get lock "rtnl_mutex" via rtnl_lock(); [ 1362.197073] [<805504ac>] netdev_trig_activate+0x194/0x1e4 [ 1362.202490] [<8054e28c>] led_trigger_set+0x1d4/0x360 <-- Hold lock "triggers_list_lock" by down_read(&triggers_list_lock); [ 1362.207511] [<8054eb38>] led_trigger_write+0xd8/0x14c [ 1362.212566] [<80381d98>] sysfs_kf_bin_write+0x80/0xbc [ 1362.217688] [<8037fcd8>] kernfs_fop_write_iter+0x17c/0x28c [ 1362.223174] [<802cbd70>] vfs_write+0x21c/0x3c4 [ 1362.227712] [<802cc0c4>] ksys_write+0x78/0x12c [ 1362.232164] [<80014504>] syscall_common+0x34/0x58 Here LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes triggers_list_lock and then RTNL. A classical AB-BA deadlock. phy_led_triggers_registers() does not require the RTNL, it does not make any calls into the network stack which require protection. There is also no requirement the PHY has been attached to a MAC, the triggers only make use of phydev state. This allows the call to phy_led_triggers_registers() to be placed elsewhere. PHY probe() and release() don't hold RTNL, so solving the AB-BA deadlock.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data set_new_password() hex dumps the entire buffer, which contains plaintext password data, including current and new passwords. Remove the hex dump to avoid leaking credentials.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op: [ 138.423369][ C1] ================================================================== [ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255 [ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full) [ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 138.425800][ C1] Call Trace: [ 138.425804][ C1] <IRQ> [ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122) [ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1)) [ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597) [ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1)) [ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2)) [ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168) [ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171) [ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57) [ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114) [ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3)) [ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45) [ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879) To solve this issue, fix the replace behavior by adding the metalist to the ife rcu data structure.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: fix divide by zero in the offload path Offloading ETS requires computing each class' WRR weight: this is done by averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned int, the same integer size as the individual DRR quanta, can overflow and even cause division by zero, like it happened in the following splat: Oops: divide error: 0000 [#1] SMP PTI CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) Tainted: [E]=UNSIGNED_MODULE Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Call Trace: <TASK> ets_qdisc_change+0x870/0xf40 [sch_ets] qdisc_create+0x12b/0x540 tc_modify_qdisc+0x6d7/0xbd0 rtnetlink_rcv_msg+0x168/0x6b0 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x1d6/0x2b0 netlink_sendmsg+0x22e/0x470 ____sys_sendmsg+0x38a/0x3c0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x111/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f440b81c77e Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 </TASK> Modules linked in: sch_ets(E) netdevsim(E) ---[ end trace 0000000000000000 ]--- RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- Fix this using 64-bit integers for 'q_sum' and 'q_psum'.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. Then, if neigh_suppress is enabled and an ICMPv6 Neighbor Discovery packet reaches the bridge, br_do_suppress_nd() will dereference ipv6_stub->nd_tbl which is NULL, passing it to neigh_lookup(). This causes a kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000268 Oops: 0000 [#1] PREEMPT SMP NOPTI [...] RIP: 0010:neigh_lookup+0x16/0xe0 [...] Call Trace: <IRQ> ? neigh_lookup+0x16/0xe0 br_do_suppress_nd+0x160/0x290 [bridge] br_handle_frame_finish+0x500/0x620 [bridge] br_handle_frame+0x353/0x440 [bridge] __netif_receive_skb_core.constprop.0+0x298/0x1110 __netif_receive_skb_one_core+0x3d/0xa0 process_backlog+0xa0/0x140 __napi_poll+0x2c/0x170 net_rx_action+0x2c4/0x3a0 handle_softirqs+0xd0/0x270 do_softirq+0x3f/0x60 Fix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in the callers. This is in essence disabling NS/NA suppression when IPv6 is disabled.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal. - timeout policy, nfnetlink_cttimeout might remove it. The use of templates with zone and event cache filter are safe, since this just copies values. Flush these enqueued packets in case the template rule gets removed.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already registered, exposing this flowtable to packet path and nfnetlink_hook control plane. This error path is rare, it should only happen by reaching the maximum number hooks or by failing to set up to hardware offload, just call synchronize_rcu(). There is a check for already used device hooks by different flowtable that could result in EEXIST at this late stage. The hook parser can be updated to perform this check earlier to this error path really becomes rarely exercised. Uncovered by KASAN reported as use-after-free from nfnetlink_hook path when dumping hooks.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length option causes nf_osf_match_one() to enter the option matching loop even when foptsize sums to zero, which matches packets with no TCP options where ctx->optp is NULL: Oops: general protection fault KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: nf_osf_match (net/netfilter/nfnetlink_osf.c:227) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:293) nf_hook_slow (net/netfilter/core.c:623) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) Additionally, an MSS option (kind=2) with length < 4 causes out-of-bounds reads when nf_osf_match_one() unconditionally accesses optp[2] and optp[3] for MSS value extraction. While RFC 9293 section 3.2 specifies that the MSS option is always exactly 4 bytes (Kind=2, Length=4), the check uses "< 4" rather than "!= 4" because lengths greater than 4 do not cause memory safety issues -- the buffer is guaranteed to be at least foptsize bytes by the ctx->optsize == foptsize check. Reject fingerprints where any option has zero length, or where an MSS option has length less than 4, at add time rather than trusting these values in the packet matching hot path.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ip_no_pmtu_disc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmp_rcv (net/ipv4/icmp.c:1527) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207) ip_local_deliver_finish (net/ipv4/ip_input.c:242) ip_local_deliver (net/ipv4/ip_input.c:262) ip_rcv (net/ipv4/ip_input.c:573) __netif_receive_skb_one_core (net/core/dev.c:6164) process_backlog (net/core/dev.c:6628) handle_softirqs (kernel/softirq.c:561) </IRQ> Add a NULL check before accessing icmp_strict_tag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: tls: Purge async_hold in tls_decrypt_async_wait() The async_hold queue pins encrypted input skbs while the AEAD engine references their scatterlist data. Once tls_decrypt_async_wait() returns, every AEAD operation has completed and the engine no longer references those skbs, so they can be freed unconditionally. A subsequent patch adds batch async decryption to tls_sw_read_sock(), introducing a new call site that must drain pending AEAD operations and release held skbs. Move __skb_queue_purge(&ctx->async_hold) into tls_decrypt_async_wait() so the purge is centralized and every caller -- recvmsg's drain path, the -EBUSY fallback in tls_do_decryption(), and the new read_sock batch path -- releases held skbs on synchronization without each site managing the purge independently. This fixes a leak when tls_strp_msg_hold() fails part-way through, after having added some cloned skbs to the async_hold queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to process all pending decrypts, and drop back to synchronous mode, but tls_sw_recvmsg() only flushes the async_hold queue when one record has been processed in "fully-async" mode, which may not be the case here. [pabeni@redhat.com: added leak comment]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler") introduces a range check for if_id to avoid an out-of-bounds access. If an out-of-bounds if_id is detected, the interrupt status is not cleared. This may result in an interrupt storm. Clear the interrupt status after detecting an out-of-bounds if_id to avoid the problem. Found by an experimental AI code review agent at Google.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference priv->cm3_base without any NULL check. When the CM3 SRAM resource is not present in the device tree (the third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains NULL and priv->global_tx_fc is false. Any operation that triggers mvpp2_bm_switch_buffers(), for example an MTU change that crosses the jumbo frame threshold, will crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits pc : readl+0x0/0x18 lr : mvpp2_cm3_read.isra.0+0x14/0x20 Call trace: readl+0x0/0x18 mvpp2_bm_pool_update_fc+0x40/0x12c mvpp2_bm_pool_update_priv_fc+0x94/0xd8 mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 mvpp2_change_mtu+0x140/0x380 __dev_set_mtu+0x1c/0x38 dev_set_mtu_ext+0x78/0x118 dev_set_mtu+0x48/0xa8 dev_ifsioc+0x21c/0x43c dev_ioctl+0x2d8/0x42c sock_ioctl+0x314/0x378 Every other flow control call site in the driver already guards hardware access with either priv->global_tx_fc or port->tx_fc. mvpp2_bm_switch_buffers() is the only place that omits this check. Add the missing priv->global_tx_fc guard to both the disable and re-enable calls in mvpp2_bm_switch_buffers(), consistent with the rest of the driver.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen. At this point we block another task which holds rtnl_lock and locks up the whole networking stack. Fix this by replacing the write_cmd calls with their _nopm variants
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) ... [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasan_slab_free (mm/ ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release(). This leads to two issues: 1) NULL pointer dereference: sk_user_data is NULL when accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed. The race window looks like this (the syzkaller crash [1] triggers via the SYN cookie path: tcp_get_cookie_sock() -> smc_tcp_syn_recv_sock(), but the normal tcp_check_req() path has the same race): CPU A (softirq) CPU B (process ctx) tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash! Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed. Fix this by using RCU and refcount_inc_not_zero() to safely access smc_sock. Since smc_tcp_syn_recv_sock() is called in the TCP three-way handshake path, taking read_lock_bh on sk_callback_lock is too heavy and would not survive a SYN flood attack. Using rcu_read_lock() is much more lightweight. - Set SOCK_RCU_FREE on the SMC listen socket so that smc_sock freeing is deferred until after the RCU grace period. This guarantees the memory is still valid when accessed inside rcu_read_lock(). - Use rcu_read_lock() to protect reading sk_user_data. - Use refcount_inc_not_zero(&smc->sk.sk_refcnt) to pin the smc_sock. If the refcount has already reached zero (close path completed), it returns false and we bail out safely. Note: smc_hs_congested() has a similar lockless read of sk_user_data without rcu_read_lock(), but it only checks for NULL and accesses the global smc_hs_wq, never dereferencing any smc_sock field, so it is not affected. Reproducer was verified with mdelay injection and smc_run, the issue no longer occurs with this patch applied. [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by inserting a flush_work() call in pm_runtime_remove(). Without this patch blktest block/001 triggers the following complaint sporadically: BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext. The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose. Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation." Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: spi: fix statistics allocation The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference. Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix OOM ->tfm_count leak If memory allocation fails, decrement ->tfm_count to avoid blocking future reads.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel. BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x17f/0x496 mm/kasan/report.c:420 kasan_report+0xd9/0x180 mm/kasan/report.c:524 ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] __dev_ethtool net/ethtool/ioctl.c:3017 [inline] dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 sock_ioctl+0x577/0x6d0 net/socket.c:1320 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 </TASK> Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 __dev_open+0x2ce/0x500 net/core/dev.c:1501 __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 dev_change_flags+0x92/0x170 net/core/dev.c:8722 do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x14b/0x180 net/socket.c:730 __sys_sendto+0x320/0x3b0 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 938: kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook mm/slub.c:1755 [inline] slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 device_release+0xa0/0x240 drivers/base/core.c:2507 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1cd/0x350 lib/kobject.c:729 put_device+0x1b/0x30 drivers/base/core.c:3805 ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 __dev_close net/core/dev.c:1597 [inline] __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 dev_change_fl ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: use expect->helper Use expect->helper in ctnetlink and /proc to dump the helper name. Using nfct_help() without holding a reference to the master conntrack is unsafe. Use exp->master->helper in ctnetlink path if userspace does not provide an explicit helper when creating an expectation to retain the existing behaviour. The ctnetlink expectation path holds the reference on the master conntrack and nf_conntrack_expect lock and the nfnetlink glue path refers to the master ct that is attached to the skb.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6_datagram_send_ctl() Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via `skb_under_panic()` (local DoS). The core issue is a mismatch between: - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type `__u16`) and - a pointer to the *last* provided destination-options header (`opt->dst1opt`) when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided. - `include/net/ipv6.h`: - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible). (lines 291-307, especially 298) - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`: - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen` without rejecting duplicates. (lines 909-933) - `net/ipv6/ip6_output.c:__ip6_append_data()`: - Uses `opt->opt_flen + opt->opt_nflen` to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465) - `net/ipv6/ip6_output.c:__ip6_make_skb()`: - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero. (lines 1930-1934) - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`: - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the pointed-to header). (lines 1179-1185 and 1206-1211) 1. `opt_flen` is a 16-bit accumulator: - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`. 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs and increments `opt_flen` each time: - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`: - It computes `len = ((hdr->hdrlen + 1) << 3);` - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns, CAP_NET_RAW)`. (line 922) - Then it does: - `opt->opt_flen += len;` (line 927) - `opt->dst1opt = hdr;` (line 928) There is no duplicate rejection here (unlike the legacy `IPV6_2292DSTOPTS` path which rejects duplicates at `net/ipv6/datagram.c:901-904`). If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps while `dst1opt` still points to a large (2048-byte) destination-options header. In the attached PoC (`poc.c`): - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048` - 1 cmsg with `hdrlen=0` => `len = 8` - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8` - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header. 3. The transmit path sizes headers using the wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1463-1465`: - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;` With wrapped `opt_flen`, `headersize`/headroom decisions underestimate what will be pushed later. 4. When building the final skb, the actual push length comes from `dst1opt` and is not limited by wrapped `opt_flen`: - In `net/ipv6/ip6_output.c:1930-1934`: - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);` - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes `dst1opt` via `ipv6_push_exthdr()`. - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does: - `skb_push(skb, ipv6_optlen(opt));` - `memcpy(h, opt, ipv6_optlen(opt));` With insufficient headroom, `skb_push()` underflows and triggers `skb_under_panic()` -> `BUG()`: - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`) - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`) - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`). - Root (or any task with `CAP_NET_RAW`) can trigger this without user namespaces. - An unprivileged `uid=1000` user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced `CAP_NET_RAW` (the attached PoC does this). - Local denial of service: kernel BUG/panic (system crash). - ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: account for netlink header size This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that `x25_sock.fraglen` does not overflow. The `fraglen` also needs to be resetted when purging `fragment_queue` in `x25_clear_queues()`.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtype_del mtype_del() counts empty slots below n->pos in k, but it only drops the bucket when both n->pos and k are zero. This misses buckets whose live entries have all been removed while n->pos still points past deleted slots. Treat a bucket as empty when all positions below n->pos are unused and release it directly instead of shrinking it further.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_fw: fix NULL pointer dereference on shared blocks The old-method path in fw_classify() calls tcf_block_q() and dereferences q->handle. Shared blocks leave block->q NULL, causing a NULL deref when an empty cls_fw filter is attached to a shared block and a packet with a nonzero major skb mark is classified. Reject the configuration in fw_change() when the old method (no TCA_OPTIONS) is used on a shared block, since fw_classify()'s old-method path needs block->q which is NULL for shared blocks. The fixed null-ptr-deref calling stack: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:fw_classify (net/sched/cls_fw.c:81) Call Trace: tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860) tc_run (net/core/dev.c:4401) __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_flow: fix NULL pointer dereference on shared blocks flow_change() calls tcf_block_q() and dereferences q->handle to derive a default baseclass. Shared blocks leave block->q NULL, causing a NULL deref when a flow filter without a fully qualified baseclass is created on a shared block. Check tcf_block_shared() before accessing block->q and return -EINVAL for shared blocks. This avoids the null-deref shown below: ======================================================================= KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:flow_change (net/sched/cls_flow.c:508) Call Trace: tc_new_tfilter (net/sched/cls_api.c:2432) rtnetlink_rcv_msg (net/core/rtnetlink.c:6980) [...] =======================================================================
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() m2sm() converts a u32 slope to a u64 scaled value. For large inputs (e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores the difference of two such u64 values in a u32 variable `dsm` and uses it as a divisor. When the difference is exactly 2^32 the truncation yields zero, causing a divide-by-zero oops in the concave-curve intersection path: Oops: divide error: 0000 RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601) Call Trace: init_ed (net/sched/sch_hfsc.c:629) hfsc_enqueue (net/sched/sch_hfsc.c:1569) [...] Widen `dsm` to u64 and replace do_div() with div64_u64() so the full difference is preserved.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP Weiming Shi says: xt_match and xt_target structs registered with NFPROTO_UNSPEC can be loaded by any protocol family through nft_compat. When such a match/target sets .hooks to restrict which hooks it may run on, the bitmask uses NF_INET_* constants. This is only correct for families whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge all share the same five hooks (PRE_ROUTING ... POST_ROUTING). ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks validation silently passes for the wrong reasons, allowing matches to run on ARP chains where the hook assumptions (e.g. state->in being set on input hooks) do not hold. This leads to NULL pointer dereferences; xt_devgroup is one concrete example: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227] RIP: 0010:devgroup_mt+0xff/0x350 Call Trace: <TASK> nft_match_eval (net/netfilter/nft_compat.c:407) nft_do_chain (net/netfilter/nf_tables_core.c:285) nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61) nf_hook_slow (net/netfilter/core.c:623) arp_xmit (net/ipv4/arp.c:666) </TASK> Kernel panic - not syncing: Fatal exception in interrupt Fix it by restricting arptables to NFPROTO_ARP extensions only. Note that arptables-legacy only supports: - arpt_CLASSIFY - arpt_mangle - arpt_MARK that provide explicit NFPROTO_ARP match/target declarations.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp process_sdp() declares union nf_inet_addr rtp_addr on the stack and passes it to the nf_nat_sip sdp_session hook after walking the SDP media descriptions. However rtp_addr is only initialized inside the media loop when a recognized media type with a non-zero port is found. If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtp_addr is never assigned. Despite that, the function still calls hooks->sdp_session() with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it. With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack. Fix this by pre-initializing rtp_addr from the session-level connection address (caddr) when available, and tracking via a have_rtp_addr flag whether any valid address was established. Skip the sdp_session hook entirely when no valid address exists.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD __build_packet_message() manually constructs the NFULA_PAYLOAD netlink attribute using skb_put() and skb_copy_bits(), bypassing the standard nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes are allocated (including NLA alignment padding), only data_len bytes of actual packet data are copied. The trailing nla_padlen(data_len) bytes (1-3 when data_len is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket. Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via __nla_reserve(). The subsequent skb_copy_bits() fills in the payload data on top of the properly initialized attribute.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix memory leak when a wq is reset idxd_wq_disable_cleanup() which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty (all its resources were released). Only set the wq type to NONE after its resources are released.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs(): update_super_work ext4_put_super ----------------- -------------- ext4_unregister_sysfs(sb) kobject_del(&sbi->s_kobj) __kobject_del() sysfs_remove_dir() kobj->sd = NULL sysfs_put(sd) kernfs_put() // RCU free ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work) Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously. The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1]. If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases: 1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case. 2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks. [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle page fault for address: 000000010beb47f4 PGD 110e51067 P4D 110e51067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 RIP: 0010:xas_find_marked+0x3d/0x2e0 Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02 RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246 RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10 RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000 R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88 FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> filemap_get_folios_tag+0x87/0x2a0 __filemap_fdatawait_range+0x5f/0xd0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __schedule+0x3e7/0x10c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? cap_safe_nice+0x37/0x70 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 filemap_fdatawait_range_keep_errors+0x12/0x40 ext4_fc_commit+0x697/0x8b0 ? ext4_file_write_iter+0x64b/0x950 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? vfs_write+0x356/0x480 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ext4_sync_file+0xf7/0x370 do_fsync+0x3b/0x80 ? syscall_trace_enter+0x108/0x1d0 __x64_sys_fdatasync+0x16/0x20 do_syscall_64+0x62/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... ``` Fix this by initializing the jbd2_inode first. Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after initialization. Readers use READ_ONCE() to fetch the pointer.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ext4: convert inline data to extents when truncate exceeds inline size Add a check in ext4_setattr() to convert files from inline data storage to extent-based storage when truncate() grows the file size beyond the inline capacity. This prevents the filesystem from entering an inconsistent state where the inline data flag is set but the file size exceeds what can be stored inline. Without this fix, the following sequence causes a kernel BUG_ON(): 1. Mount filesystem with inode that has inline flag set and small size 2. truncate(file, 50MB) - grows size but inline flag remains set 3. sendfile() attempts to write data 4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity) The crash occurs because ext4_write_inline_data() expects inline storage to accommodate the write, but the actual inline capacity (~60 bytes for i_block + ~96 bytes for xattrs) is far smaller than the file size and write request. The fix checks if the new size from setattr exceeds the inode's actual inline capacity (EXT4_I(inode)->i_inline_size) and converts the file to extent-based storage before proceeding with the size change. This addresses the root cause by ensuring the inline data flag and file size remain consistent during truncate operations.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix folio isn't locked in softleaf_to_folio() On arm64 server, we found folio that get from migration entry isn't locked in softleaf_to_folio(). This issue triggers when mTHP splitting and zap_nonpresent_ptes() races, and the root cause is lack of memory barrier in softleaf_to_folio(). The race is as follows: CPU0 CPU1 deferred_split_scan() zap_nonpresent_ptes() lock folio split_folio() unmap_folio() change ptes to migration entries __split_folio_to_order() softleaf_to_folio() set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry)) smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio)) prep_compound_page() for tail pages In __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages are visible before the tail page becomes non-compound. smp_wmb() should be paired with smp_rmb() in softleaf_to_folio(), which is missed. As a result, if zap_nonpresent_ptes() accesses migration entry that stores tail pfn, softleaf_to_folio() may see the updated compound_head of tail page before page->flags. This issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio() because of the race between folio split and zap_nonpresent_ptes() leading to a folio incorrectly undergoing modification without a folio lock being held. This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further swapops predicates"), which in merged in v6.19-rc1. To fix it, add missing smp_rmb() if the softleaf entry is migration entry in softleaf_to_folio() and softleaf_to_page(). [tujinjiang@huawei.com: update function name and comments]
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false A UAF issue occurs when the virtio_net driver is configured with napi_tx=N and the device's IFF_XMIT_DST_RELEASE flag is cleared (e.g., during the configuration of tc route filter rules). When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack expects the driver to hold the reference to skb->dst until the packet is fully transmitted and freed. In virtio_net with napi_tx=N, skbs may remain in the virtio transmit ring for an extended period. If the network namespace is destroyed while these skbs are still pending, the corresponding dst_ops structure has freed. When a subsequent packet is transmitted, free_old_xmit() is triggered to clean up old skbs. It then calls dst_release() on the skb associated with the stale dst_entry. Since the dst_ops (referenced by the dst_entry) has already been freed, a UAF kernel paging request occurs. fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release the dst reference before the skb is queued in virtio_net. Call Trace: Unable to handle kernel paging request at virtual address ffff80007e150000 CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT ... percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) dst_release+0xe0/0x110 net/core/dst.c:177 skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] ... Reproduction Steps: NETDEV="enp3s0" config_qdisc_route_filter() { tc qdisc del dev $NETDEV root tc qdisc add dev $NETDEV root handle 1: prio tc filter add dev $NETDEV parent 1:0 \ protocol ip prio 100 route to 100 flowid 1:1 ip route add 192.168.1.100/32 dev $NETDEV realm 100 } test_ns() { ip netns add testns ip link set $NETDEV netns testns ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 ip netns exec testns ping -c 1 10.0.32.1 ip netns del testns } config_qdisc_route_filter test_ns sleep 2 test_ns
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: spi: spi-fsl-lpspi: fix teardown order issue (UAF) There is a teardown order issue in the driver. The SPI controller is registered using devm_spi_register_controller(), which delays unregistration of the SPI controller until after the fsl_lpspi_remove() function returns. As the fsl_lpspi_remove() function synchronously tears down the DMA channels, a running SPI transfer triggers the following NULL pointer dereference due to use after free: | fsl_lpspi 42550000.spi: I/O Error in DMA RX | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] | Call trace: | fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi] | fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi] | spi_transfer_one_message+0x49c/0x7c8 | __spi_pump_transfer_message+0x120/0x420 | __spi_sync+0x2c4/0x520 | spi_sync+0x34/0x60 | spidev_message+0x20c/0x378 [spidev] | spidev_ioctl+0x398/0x750 [spidev] [...] Switch from devm_spi_register_controller() to spi_register_controller() in fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in fsl_lpspi_remove().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write as observed in the KASAN splat. ================================================================== BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb] Write of size 760 at addr ffff80008080b000 by task ethtool/1027 CPU: [...] Tainted: [E]=UNSIGNED_MODULE Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8 The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333 flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff) raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Fix it by making sure the copied size only considers the active number of queues.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use netlink policy range checks Replace manual range and mask validations with netlink policy annotations in ctnetlink code paths, so that the netlink core rejects invalid values early and can generate extack errors. - CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at policy level, removing the manual >= TCP_CONNTRACK_MAX check. - CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE (14). The normal TCP option parsing path already clamps to this value, but the ctnetlink path accepted 0-255, causing undefined behavior when used as a u32 shift count. - CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with CTA_FILTER_F_ALL, removing the manual mask checks. - CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding a new mask define grouping all valid expect flags. Extracted from a broader nf-next patch by Florian Westphal, scoped to ctnetlink for the fixes tree.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_expect: skip expectations in other netns via proc Skip expectations that do not reside in this netns. Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's conntrack entries via proc").
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: udp: Fix wildcard bind conflict check when using hash2 When binding a udp_sock to a local address and port, UDP uses two hashes (udptable->hash and udptable->hash2) for collision detection. The current code switches to "hash2" when hslot->count > 10. "hash2" is keyed by local address and local port. "hash" is keyed by local port only. The issue can be shown in the following bind sequence (pseudo code): bind(fd1, "[fd00::1]:8888") bind(fd2, "[fd00::2]:8888") bind(fd3, "[fd00::3]:8888") bind(fd4, "[fd00::4]:8888") bind(fd5, "[fd00::5]:8888") bind(fd6, "[fd00::6]:8888") bind(fd7, "[fd00::7]:8888") bind(fd8, "[fd00::8]:8888") bind(fd9, "[fd00::9]:8888") bind(fd10, "[fd00::10]:8888") /* Correctly return -EADDRINUSE because "hash" is used * instead of "hash2". udp_lib_lport_inuse() detects the * conflict. */ bind(fail_fd, "[::]:8888") /* After one more socket is bound to "[fd00::11]:8888", * hslot->count exceeds 10 and "hash2" is used instead. */ bind(fd11, "[fd00::11]:8888") bind(fail_fd, "[::]:8888") /* succeeds unexpectedly */ The same issue applies to the IPv4 wildcard address "0.0.0.0" and the IPv4-mapped wildcard address "::ffff:0.0.0.0". For example, if there are existing sockets bound to "192.168.1.[1-11]:8888", then binding "0.0.0.0:8888" or "[::ffff:0.0.0.0]:8888" can also miss the conflict when hslot->count > 10. TCP inet_csk_get_port() already has the correct check in inet_use_bhash2_on_bind(). Rename it to inet_use_hash2_on_bind() and move it to inet_hashtables.h so udp.c can reuse it in this fix.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an additional audit with Claude Code based on CVE-2025-38617.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the cloned pipe_buffer share the same smc_spd_priv *. When both pipes are subsequently released, smc_rx_pipe_buf_release() is called twice against the same object: 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF] KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which then escalates to a NULL-pointer dereference and kernel panic via smc_rx_update_consumer() when it chases the freed priv->smc pointer: BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: <TASK> smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Kernel panic - not syncing: Fatal exception Beyond the memory-safety problem, duplicating an SMC splice buffer is semantically questionable: smc_rx_update_cons() would advance the consumer cursor twice for the same data, corrupting receive-window accounting. A refcount on smc_spd_priv could fix the double-free, but the cursor-accounting issue would still need to be addressed separately. The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Avoid releasing netdev before teardown completes The patch cited in the Fixes tag below changed the teardown code for OVS ports to no longer unconditionally take the RTNL. After this change, the netdev_destroy() callback can proceed immediately to the call_rcu() invocation if the IFF_OVS_DATAPATH flag is already cleared on the netdev. The ovs_netdev_detach_dev() function clears the flag before completing the unregistration, and if it gets preempted after clearing the flag (as can happen on an -rt kernel), netdev_destroy() can complete and the device can be freed before the unregistration completes. This leads to a splat like: [ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI [ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT [ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025 [ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0 [ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 <48> 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90 [ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246 [ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000 [ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05 [ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000 [ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006 [ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000 [ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000 [ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0 [ 998.393944] PKRU: 55555554 [ 998.393946] Call Trace: [ 998.393949] <TASK> [ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0 [ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0 [ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch] [ 998.394009] ? __die_body.cold+0x8/0x12 [ 998.394016] ? die_addr+0x3c/0x60 [ 998.394027] ? exc_general_protection+0x16d/0x390 [ 998.394042] ? asm_exc_general_protection+0x26/0x30 [ 998.394058] ? dev_set_promiscuity+0x8d/0xa0 [ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch] [ 998.394092] dp_device_event+0x41/0x80 [openvswitch] [ 998.394102] notifier_call_chain+0x5a/0xd0 [ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60 [ 998.394110] rtnl_dellink+0x169/0x3e0 [ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0 [ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0 [ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0 [ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 998.394132] netlink_rcv_skb+0x50/0x100 [ 998.394138] netlink_unicast+0x292/0x3f0 [ 998.394141] netlink_sendmsg+0x21b/0x470 [ 998.394145] ____sys_sendmsg+0x39d/0x3d0 [ 998.394149] ___sys_sendmsg+0x9a/0xe0 [ 998.394156] __sys_sendmsg+0x7a/0xd0 [ 998.394160] do_syscall_64+0x7f/0x170 [ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 998.394165] RIP: 0033:0x7fad61bf4724 [ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 [ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724 [ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003 [ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f [ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2 ---truncated---
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: af_key: validate families in pfkey_send_migrate() syzbot was able to trigger a crash in skb_put() [1] Issue is that pfkey_send_migrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb. Validate families early, do not wait set_ipsecrequest(). [1] skbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skb_over_panic net/core/skbuff.c:219 [inline] skb_put+0x159/0x210 net/core/skbuff.c:2655 skb_put_zero include/linux/skbuff.h:2788 [inline] set_ipsecrequest net/key/af_key.c:3532 [inline] pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636 km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848 xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705 xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, esp_output_tail_tcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packet for us. With async crypto (esp_output_done), we need to drop the skb when esp_output_tail_tcp returns an error.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption The -EBUSY handling in tls_do_encryption(), introduced by commit 859054147318 ("net: tls: handle backlogging of crypto requests"), has a use-after-free due to double cleanup of encrypt_pending and the scatterlist entry. When crypto_aead_encrypt() returns -EBUSY, the request is enqueued to the cryptd backlog and the async callback tls_encrypt_done() will be invoked upon completion. That callback unconditionally restores the scatterlist entry (sge->offset, sge->length) and decrements ctx->encrypt_pending. However, if tls_encrypt_async_wait() returns an error, the synchronous error path in tls_do_encryption() performs the same cleanup again, double-decrementing encrypt_pending and double-restoring the scatterlist. The double-decrement corrupts the encrypt_pending sentinel (initialized to 1), making tls_encrypt_async_wait() permanently skip the wait for pending async callbacks. A subsequent sendmsg can then free the tls_rec via bpf_exec_tx_verdict() while a cryptd callback is still pending, resulting in a use-after-free when the callback fires on the freed record. Fix this by skipping the synchronous cleanup when the -EBUSY async wait returns an error, since the callback has already handled encrypt_pending and sge restoration.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL deref in bond_debug_rlb_hash_show rlb_clear_slave intentionally keeps RLB hash-table entries on the rx_hashtbl_used_head list with slave set to NULL when no replacement slave is available. However, bond_debug_rlb_hash_show visites client_info->slave without checking if it's NULL. Other used-list iterators in bond_alb.c already handle this NULL-slave state safely: - rlb_update_client returns early on !client_info->slave - rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance compare slave values before visiting - lb_req_update_subnet_clients continues if slave is NULL The following NULL deref crash can be trigger in bond_debug_rlb_hash_show: [ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41) [ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286 [ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204 [ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078 [ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000 [ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0 [ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8 [ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000 [ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0 [ 1.295897] Call Trace: [ 1.296134] seq_read_iter (fs/seq_file.c:231) [ 1.296341] seq_read (fs/seq_file.c:164) [ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1)) [ 1.296658] vfs_read (fs/read_write.c:572) [ 1.296981] ksys_read (fs/read_write.c:717) [ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Add a NULL check and print "(none)" for entries with no assigned slave.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: macb: Use dev_consume_skb_any() to free TX SKBs The napi_consume_skb() function is not intended to be called in an IRQ disabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fix tx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQs disabled. To resolve the following call trace, use dev_consume_skb_any() for freeing TX SKBs: WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15 Modules linked in: CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT Hardware name: ZynqMP ZCU102 Rev1.1 (DT) pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __local_bh_enable_ip+0x174/0x188 lr : local_bh_enable+0x24/0x38 sp : ffff800082b3bb10 x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0 x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80 x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000 x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001 x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000 x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650 x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258 x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc Call trace: __local_bh_enable_ip+0x174/0x188 (P) local_bh_enable+0x24/0x38 skb_attempt_defer_free+0x190/0x1d8 napi_consume_skb+0x58/0x108 macb_tx_poll+0x1a4/0x558 __napi_poll+0x50/0x198 net_rx_action+0x1f4/0x3d8 handle_softirqs+0x16c/0x560 run_ksoftirqd+0x44/0x80 smpboot_thread_fn+0x1d8/0x338 kthread+0x120/0x150 ret_from_fork+0x10/0x20 irq event stamp: 29751 hardirqs last enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88 hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98 softirqs last enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560 softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix deadlock during netdev reset with active connections Resolve deadlock that occurs when user executes netdev reset while RDMA applications (e.g., rping) are active. The netdev reset causes ice driver to remove irdma auxiliary driver, triggering device_delete and subsequent client removal. During client removal, uverbs_client waits for QP reference count to reach zero while cma_client holds the final reference, creating circular dependency and indefinite wait in iWARP mode. Skip QP reference count wait during device reset to prevent deadlock.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/CPU: Fix FPDSS on Zen1 Zen1's hardware divider can leave, under certain circumstances, partial results from previous operations. Those results can be leaked by another, attacker thread. Fix that with a chicken bit.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpc_server_keyring() This patch fixes a reference count leak in rxrpc_server_keyring() by checking if rx->securities is already set.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware. Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() When dma_map_single() fails in tse_start_xmit(), the function returns NETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the stack the packet was consumed, the skb is never freed, leaking memory on every DMA mapping failure. Add dev_kfree_skb_any() before returning to properly free the skb.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not do this for struct xfrm_user_polexpire. The padding bytes after the __u8 hard field are left uninitialized from the heap allocation, and are then sent to userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, leaking kernel heap memory contents. Add the missing memset_after() call, matching build_expire().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: fix use-after-free in timeout object destroy nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_initcall, level 5), before inet6_init() (module_init/device_initcall, level 6) has called proto_register(&tcpv6_prot). At that point, tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab remains NULL permanently. This causes MPTCP v6 subflow child sockets to be allocated via kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so when these sockets are freed without SOCK_RCU_FREE (which is cleared for child sockets by design), the memory can be immediately reused. Concurrent ehash lookups under rcu_read_lock can then access freed memory, triggering a slab-use-after-free in __inet_lookup_established. Fix this by splitting the IPv6-specific initialization out of mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called from mptcp_proto_v6_init() before protocol registration. This ensures tcpv6_prot_override.slab correctly inherits the SLAB_TYPESAFE_BY_RCU slab cache.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causing a potential out of memory situation. Prevent this from bounding the number of pending rfkill events at a "large" number (i.e. 1000) to prevent abuses like this.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_report() struct xfrm_user_report is a __u8 proto field followed by a struct xfrm_selector which means there is three "empty" bytes of padding, but the padding is never zeroed before copying to userspace. Fix that up by zeroing the structure before setting individual member variables.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: linearize skb before parsing ND options br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: ftgmac100: fix ring allocation unwind on open failure ftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and rx_scratch in stages. On intermediate failures it returned -ENOMEM directly, leaking resources allocated earlier in the function. Rework the failure path to use staged local unwind labels and free allocated resources in reverse order before returning -ENOMEM. This matches common netdev allocation cleanup style.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bridge: br_nd_send: validate ND option lengths br_nd_send() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload. Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050: Move iio_device_register() to correct location iio_device_register() should be at the end of the probe function to prevent race conditions. Place iio_device_register() at the end of the probe function and place iio_device_unregister() accordingly.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-adc161s626: use DMA-safe memory for spi_read() Add a DMA-safe buffer and use it for spi_read() instead of a stack memory. All SPI buffers must be DMA-safe. Since we only need up to 3 bytes, we just use a u8[] instead of __be16 and __be32 and change the conversion functions appropriately.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix potential double free of skb When alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at line 48 and returns 1 (error). This error propagates back through the call chain: x25_queue_rx_frame returns 1 | v x25_state3_machine receives the return value 1 and takes the else branch at line 278, setting queued=0 and returning 0 | v x25_process_rx_frame returns queued=0 | v x25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb) again This would free the same skb twice. Looking at x25_backlog_rcv: net/x25/x25_in.c:x25_backlog_rcv() { ... queued = x25_process_rx_frame(sk, skb); ... if (!queued) kfree_skb(skb); }
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject immediate NF_QUEUE verdict nft_queue is always used from userspace nftables to deliver the NF_QUEUE verdict. Immediately emitting an NF_QUEUE verdict is never used by the userspace nft tools, so reject immediate NF_QUEUE verdicts. The arp family does not provide queue support, but such an immediate verdict is still reachable. Globally reject NF_QUEUE immediate verdicts to address this issue.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ignore explicit helper on new expectations Use the existing master conntrack helper, anything else is not really supported and it just makes validation more complicated, so just ignore what helper userspace suggests for this expectation. This was uncovered when validating CTA_EXPECT_CLASS via different helper provided by userspace than the existing master conntrack helper: BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0 Read of size 4 at addr ffff8880043fe408 by task poc/102 Call Trace: nf_ct_expect_related_report+0x2479/0x27c0 ctnetlink_create_expect+0x22b/0x3b0 ctnetlink_new_expect+0x4bd/0x5c0 nfnetlink_rcv_msg+0x67a/0x950 netlink_rcv_skb+0x120/0x350 Allowing to read kernel memory bytes off the expectation boundary. CTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace via netlink dump.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent ctnetlink_alloc_expect() allocates expectations from a non-zeroing slab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not present in the netlink message, saved_addr and saved_proto are never initialized. Stale data from a previous slab occupant can then be dumped to userspace by ctnetlink_exp_dump_expect(), which checks these fields to decide whether to emit CTA_EXPECT_NAT. The safe sibling nf_ct_expect_init(), used by the packet path, explicitly zeroes these fields. Zero saved_addr, saved_proto and dir in the else branch, guarded by IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when NAT is enabled. Confirmed by priming the expect slab with NAT-bearing expectations, freeing them, creating a new expectation without CTA_EXPECT_NAT, and observing that the ctnetlink dump emits a spurious CTA_EXPECT_NAT containing stale data from the prior allocation.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it passes NULL instead of the helper pointer as the data argument, so expect_iter_me() never matches any expectation and all of them survive the cleanup. After unregister returns, nfnl_cthelper_del() frees the helper object immediately. Subsequent expectation dumps or packet-driven init_conntrack() calls then dereference the freed exp->helper, causing a use-after-free. Pass the actual helper pointer so expectations referencing it are properly destroyed before the helper object is freed. BUG: KASAN: slab-use-after-free in string+0x38f/0x430 Read of size 1 at addr ffff888003b14d20 by task poc/103 Call Trace: string+0x38f/0x430 vsnprintf+0x3cc/0x1170 seq_printf+0x17a/0x240 exp_seq_show+0x2e5/0x560 seq_read_iter+0x419/0x1280 proc_reg_read+0x1ac/0x270 vfs_read+0x179/0x930 ksys_read+0xef/0x1c0 Freed by task 103: The buggy address is located 32 bytes inside of freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: ensure names are nul-terminated Reject names that lack a \0 character before feeding them to functions that expect c-strings. Fixes tag is the most recent commit that needs this change.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix regsafe() for pointers to packet In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N regsafe() may return true which may lead to current state with valid packet range not being explored. Fix the bug.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source. However, the data to be hashed need to be rearranged accordingly. Thanks,
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak When building netlink messages, tc_chain_fill_node() never initializes the tcm_info field of struct tcmsg. Since the allocation is not zeroed, kernel heap memory is leaked to userspace through this 4-byte field. The fix simply zeroes tcm_info alongside the other fields that are already initialized.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2 and passed to icmp6_send(), it uses IP6CB(skb2). IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm at offset 18. If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called and uses ipv6_find_tlv(skb, opt->dsthao, IPV6_TLV_HAO). This would scan the inner, attacker-controlled IPv6 packet starting at that offset, potentially returning a fake TLV without checking if the remaining packet length can hold the full 18-byte struct ipv6_destopt_hao. Could mip6_addr_swap() then perform a 16-byte swap that extends past the end of the packet data into skb_shared_info? Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and ip6ip6_err() to prevent this? This patch implements the first suggestion. I am not sure if ip6ip6_err() needs to be changed. A separate patch would be better anyway.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct has three padding fields that are never zeroed and can leak kernel data The fix is simple, just zeroes the padding fields.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback NETIF_F_IPV6_CSUM only advertises support for checksum offload of packets without IPv6 extension headers. Packets with extension headers must fall back onto software checksumming. Since TSO depends on checksum offload, those must revert to GSO. The below commit introduces that fallback. It always checks network header length. For tunneled packets, the inner header length must be checked instead. Extend the check accordingly. A special case is tunneled packets without inner IP protocol. Such as RFC 6951 SCTP in UDP. Those are not standard IPv6 followed by transport header either, so also must revert to the software GSO path.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache Make sure resources are not improperly shared in the op cache and cause instruction corruption this way.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
|
6ES7518-4AX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)
|
6ES7518-4AX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
|
6ES7518-4FX00-1AB0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) >= V3.1.6
Siemens / SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)
|
6ES7518-4FX00-1AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
|
SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) >= V3.1.6
Siemens / SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
|
6AG1518-4AX00-4AC0
|
vers:intdot/>=3.1.6 |
Mitigation
Mitigation
None Available
|
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities have been identified in the additional GNU/Linux subsystem of the firmware version V3.1.6 for the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP (incl. SIPLUS variant).\n\nSiemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-019113: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.6 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"category": "self",
"summary": "SSA-019113: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.6 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-019113.json"
}
],
"title": "SSA-019113: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.6",
"tracking": {
"current_release_date": "2026-07-14T00:00:00.000Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-019113",
"initial_release_date": "2026-07-14T00:00:00.000Z",
"revision_history": [
{
"date": "2026-07-14T00:00:00.000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003e=3.1.6",
"product": {
"name": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) \u003e= V3.1.6",
"product_id": "1",
"product_identification_helper": {
"model_numbers": [
"6ES7518-4AX00-1AB0"
]
}
}
}
],
"category": "product_name",
"name": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003e=3.1.6",
"product": {
"name": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) \u003e= V3.1.6",
"product_id": "2",
"product_identification_helper": {
"model_numbers": [
"6ES7518-4AX00-1AC0"
]
}
}
}
],
"category": "product_name",
"name": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003e=3.1.6",
"product": {
"name": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) \u003e= V3.1.6",
"product_id": "3",
"product_identification_helper": {
"model_numbers": [
"6ES7518-4FX00-1AB0"
]
}
}
}
],
"category": "product_name",
"name": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003e=3.1.6",
"product": {
"name": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) \u003e= V3.1.6",
"product_id": "4",
"product_identification_helper": {
"model_numbers": [
"6ES7518-4FX00-1AC0"
]
}
}
}
],
"category": "product_name",
"name": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003e=3.1.6",
"product": {
"name": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) \u003e= V3.1.6",
"product_id": "5",
"product_identification_helper": {
"model_numbers": [
"6AG1518-4AX00-4AC0"
]
}
}
}
],
"category": "product_name",
"name": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-41617",
"cwe": {
"id": "CWE-311",
"name": "Missing Encryption of Sensitive Data"
},
"notes": [
{
"category": "description",
"text": "sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2021-41617"
},
{
"cve": "CVE-2023-28531",
"cwe": {
"id": "CWE-311",
"name": "Missing Encryption of Sensitive Data"
},
"notes": [
{
"category": "description",
"text": "ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2023-28531"
},
{
"cve": "CVE-2023-51384",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"notes": [
{
"category": "description",
"text": "In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2023-51384"
},
{
"cve": "CVE-2023-52927",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: allow exp not to be removed in nf_ct_find_expectation\n\nCurrently nf_conntrack_in() calling nf_ct_find_expectation() will\nremove the exp from the hash table. However, in some scenario, we\nexpect the exp not to be removed when the created ct will not be\nconfirmed, like in OVS and TC conntrack in the following patches.\n\nThis patch allows exp not to be removed by setting IPS_CONFIRMED\nin the status of the tmpl.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2023-52927"
},
{
"cve": "CVE-2024-26783",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn\u0027t have its local memory so it has no managed zones, the following\noops has been observed. It\u0027s because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n\u003e BUG: unable to handle page fault for address: 00000000000033f3\n\u003e #PF: supervisor read access in kernel mode\n\u003e #PF: error_code(0x0000) - not-present page\n\u003e PGD 0 P4D 0\n\u003e Oops: 0000 [#1] PREEMPT SMP NOPTI\n\u003e CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n\u003e Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n\u003e rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n\u003e RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n\u003e Code: (omitted)\n\u003e RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n\u003e RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n\u003e RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n\u003e RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n\u003e R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n\u003e R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n\u003e FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n\u003e CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003e CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n\u003e DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n\u003e DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n\u003e PKRU: 55555554\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e ? __die\n\u003e ? page_fault_oops\n\u003e ? __pte_offset_map_lock\n\u003e ? exc_page_fault\n\u003e ? asm_exc_page_fault\n\u003e ? wakeup_kswapd\n\u003e migrate_misplaced_page\n\u003e __handle_mm_fault\n\u003e handle_mm_fault\n\u003e do_user_addr_fault\n\u003e exc_page_fault\n\u003e asm_exc_page_fault\n\u003e RIP: 0033:0x55b897ba0808\n\u003e Code: (omitted)\n\u003e RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n\u003e RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n\u003e RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n\u003e RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n\u003e R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n\u003e R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n\u003e \u003c/TASK\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-26783"
},
{
"cve": "CVE-2024-27056",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-27056"
},
{
"cve": "CVE-2024-28956",
"cwe": {
"id": "CWE-1421",
"name": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution"
},
"notes": [
{
"category": "description",
"text": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-28956"
},
{
"cve": "CVE-2024-36903",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix potential uninit-value access in __ip6_make_skb()\n\nAs it was done in commit fc1092f51567 (\"ipv4: Fix uninit-value access in\n__ip_make_skb()\") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6-\u003eflowi6_flags\ninstead of testing HDRINCL on the socket to avoid a race condition which\ncauses uninit-value access.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-36903"
},
{
"cve": "CVE-2024-36927",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix uninit-value access in __ip_make_skb()\n\nKMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()\ntests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a\nrace condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL\nwhile __ip_make_skb() is running, the function will access icmphdr in the\nskb even if it is not included. This causes the issue reported by KMSAN.\n\nCheck FLOWI_FLAG_KNOWN_NH on fl4-\u003eflowi4_flags instead of testing HDRINCL\non the socket.\n\nAlso, fl4-\u003efl4_icmp_type and fl4-\u003efl4_icmp_code are not initialized. These\nare union in struct flowi4 and are implicitly initialized by\nflowi4_init_output(), but we should not rely on specific union layout.\n\nInitialize these explicitly in raw_sendmsg().\n\n[1]\nBUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481\n ip_finish_skb include/net/ip.h:243 [inline]\n ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508\n raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128\n ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365\n raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648\n inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x274/0x3c0 net/socket.c:745\n __sys_sendto+0x62c/0x7b0 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x130/0x200 net/socket.c:2199\n do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-36927"
},
{
"cve": "CVE-2024-42079",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix NULL pointer dereference in gfs2_log_flush\n\nIn gfs2_jindex_free(), set sdp-\u003esd_jdesc to NULL under the log flush\nlock to provide exclusion against gfs2_log_flush().\n\nIn gfs2_log_flush(), check if sdp-\u003esd_jdesc is non-NULL before\ndereferencing it. Otherwise, we could run into a NULL pointer\ndereference when outstanding glock work races with an unmount\n(glock_work_func -\u003e run_queue -\u003e do_xmote -\u003e inode_go_sync -\u003e\ngfs2_log_flush).",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-42079"
},
{
"cve": "CVE-2024-46786",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF\n\nThe fscache_cookie_lru_timer is initialized when the fscache module\nis inserted, but is not deleted when the fscache module is removed.\nIf timer_reduce() is called before removing the fscache module,\nthe fscache_cookie_lru_timer will be added to the timer list of\nthe current cpu. Afterwards, a use-after-free will be triggered\nin the softIRQ after removing the fscache module, as follows:\n\n==================================================================\nBUG: unable to handle page fault for address: fffffbfff803c9e9\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855\nTainted: [W]=WARN\nRIP: 0010:__run_timer_base.part.0+0x254/0x8a0\nCall Trace:\n \u003cIRQ\u003e\n tmigr_handle_remote_up+0x627/0x810\n __walk_groups.isra.0+0x47/0x140\n tmigr_handle_remote+0x1fa/0x2f0\n handle_softirqs+0x180/0x590\n irq_exit_rcu+0x84/0xb0\n sysvec_apic_timer_interrupt+0x6e/0x90\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\n default_idle_call+0x38/0x60\n do_idle+0x2b5/0x300\n cpu_startup_entry+0x54/0x60\n start_secondary+0x20d/0x280\n common_startup_64+0x13e/0x148\n \u003c/TASK\u003e\nModules linked in: [last unloaded: netfs]\n==================================================================\n\nTherefore delete fscache_cookie_lru_timer when removing the fscahe module.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-46786"
},
{
"cve": "CVE-2024-47736",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle overlapped pclusters out of crafted images properly\n\nsyzbot reported a task hang issue due to a deadlock case where it is\nwaiting for the folio lock of a cached folio that will be used for\ncache I/Os.\n\nAfter looking into the crafted fuzzed image, I found it\u0027s formed with\nseveral overlapped big pclusters as below:\n\n Ext: logical offset | length : physical offset | length\n 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384\n 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384\n 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384\n...\n\nHere, extent 0/1 are physically overlapped although it\u0027s entirely\n_impossible_ for normal filesystem images generated by mkfs.\n\nFirst, managed folios containing compressed data will be marked as\nup-to-date and then unlocked immediately (unlike in-place folios) when\ncompressed I/Os are complete. If physical blocks are not submitted in\nthe incremental order, there should be separate BIOs to avoid dependency\nissues. However, the current code mis-arranges z_erofs_fill_bio_vec()\nand BIO submission which causes unexpected BIO waits.\n\nSecond, managed folios will be connected to their own pclusters for\nefficient inter-queries. However, this is somewhat hard to implement\neasily if overlapped big pclusters exist. Again, these only appear in\nfuzzed images so let\u0027s simply fall back to temporary short-lived pages\nfor correctness.\n\nAdditionally, it justifies that referenced managed folios cannot be\ntruncated for now and reverts part of commit 2080ca1ed3e4 (\"erofs: tidy\nup `struct z_erofs_bvec`\") for simplicity although it shouldn\u0027t be any\ndifference.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-47736"
},
{
"cve": "CVE-2024-47809",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndlm: fix possible lkb_resource null dereference\n\nThis patch fixes a possible null pointer dereference when this function is\ncalled from request_lock() as lkb-\u003elkb_resource is not assigned yet,\nonly after validate_lock_args() by calling attach_lkb(). Another issue\nis that a resource name could be a non printable bytearray and we cannot\nassume to be ASCII coded.\n\nThe log functionality is probably never being hit when DLM is used in\nnormal way and no debug logging is enabled. The null pointer dereference\ncan only occur on a new created lkb that does not have the resource\nassigned yet, it probably never hits the null pointer dereference but we\nshould be sure that other changes might not change this behaviour and we\nactually can hit the mentioned null pointer dereference.\n\nIn this patch we just drop the printout of the resource name, the lkb id\nis enough to make a possible connection to a resource name if this\nexists.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-47809"
},
{
"cve": "CVE-2024-49968",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filesystems without casefold feature cannot be mounted with siphash\n\nWhen mounting the ext4 filesystem, if the default hash version is set to\nDX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-49968"
},
{
"cve": "CVE-2024-49994",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix integer overflow in BLKSECDISCARD\n\nI independently rediscovered\n\n\tcommit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\n\tblock: fix overflow in blk_ioctl_discard()\n\nbut for secure erase.\n\nSame problem:\n\n\tuint64_t r[2] = {512, 18446744073709551104ULL};\n\tioctl(fd, BLKSECDISCARD, r);\n\nwill enter near infinite loop inside blkdev_issue_secure_erase():\n\n\ta.out: attempt to access beyond end of device\n\tloop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048\n\tbio_check_eod: 3286214 callbacks suppressed",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-49994"
},
{
"cve": "CVE-2024-49998",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: improve shutdown sequence\n\nAlexander Sverdlin presents 2 problems during shutdown with the\nlan9303 driver. One is specific to lan9303 and the other just happens\nto reproduce there.\n\nThe first problem is that lan9303 is unique among DSA drivers in that it\ncalls dev_get_drvdata() at \"arbitrary runtime\" (not probe, not shutdown,\nnot remove):\n\nphy_state_machine()\n-\u003e ...\n -\u003e dsa_user_phy_read()\n -\u003e ds-\u003eops-\u003ephy_read()\n -\u003e lan9303_phy_read()\n -\u003e chip-\u003eops-\u003ephy_read()\n -\u003e lan9303_mdio_phy_read()\n -\u003e dev_get_drvdata()\n\nBut we never stop the phy_state_machine(), so it may continue to run\nafter dsa_switch_shutdown(). Our common pattern in all DSA drivers is\nto set drvdata to NULL to suppress the remove() method that may come\nafterwards. But in this case it will result in an NPD.\n\nThe second problem is that the way in which we set\ndp-\u003econduit-\u003edsa_ptr = NULL; is concurrent with receive packet\nprocessing. dsa_switch_rcv() checks once whether dev-\u003edsa_ptr is NULL,\nbut afterwards, rather than continuing to use that non-NULL value,\ndev-\u003edsa_ptr is dereferenced again and again without NULL checks:\ndsa_conduit_find_user() and many other places. In between dereferences,\nthere is no locking to ensure that what was valid once continues to be\nvalid.\n\nBoth problems have the common aspect that closing the conduit interface\nsolves them.\n\nIn the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN\nevent in dsa_user_netdevice_event() which closes user ports as well.\ndsa_port_disable_rt() calls phylink_stop(), which synchronously stops\nthe phylink state machine, and ds-\u003eops-\u003ephy_read() will thus no longer\ncall into the driver after this point.\n\nIn the second case, dev_close(conduit) should do this, as per\nDocumentation/networking/driver.rst:\n\n| Quiescence\n| ----------\n|\n| After the ndo_stop routine has been called, the hardware must\n| not receive or transmit any data. All in flight packets must\n| be aborted. If necessary, poll or wait for completion of\n| any reset commands.\n\nSo it should be sufficient to ensure that later, when we zeroize\nconduit-\u003edsa_ptr, there will be no concurrent dsa_switch_rcv() call\non this conduit.\n\nThe addition of the netif_device_detach() function is to ensure that\nioctls, rtnetlinks and ethtool requests on the user ports no longer\npropagate down to the driver - we\u0027re no longer prepared to handle them.\n\nThe race condition actually did not exist when commit 0650bf52b31f\n(\"net: dsa: be compatible with masters which unregister on shutdown\")\nfirst introduced dsa_switch_shutdown(). It was created later, when we\nstopped unregistering the user interfaces from a bad spot, and we just\nreplaced that sequence with a racy zeroization of conduit-\u003edsa_ptr\n(one which doesn\u0027t ensure that the interfaces aren\u0027t up).",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-49998"
},
{
"cve": "CVE-2024-50014",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix access to uninitialised lock in fc replay path\n\nThe following kernel trace can be triggered with fstest generic/629 when\nexecuted against a filesystem with fast-commit feature enabled:\n\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn\u0027t initialize this object before use?\nturning off the locking correctness validator.\nCPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x66/0x90\n register_lock_class+0x759/0x7d0\n __lock_acquire+0x85/0x2630\n ? __find_get_block+0xb4/0x380\n lock_acquire+0xd1/0x2d0\n ? __ext4_journal_get_write_access+0xd5/0x160\n _raw_spin_lock+0x33/0x40\n ? __ext4_journal_get_write_access+0xd5/0x160\n __ext4_journal_get_write_access+0xd5/0x160\n ext4_reserve_inode_write+0x61/0xb0\n __ext4_mark_inode_dirty+0x79/0x270\n ? ext4_ext_replay_set_iblocks+0x2f8/0x450\n ext4_ext_replay_set_iblocks+0x330/0x450\n ext4_fc_replay+0x14c8/0x1540\n ? jread+0x88/0x2e0\n ? rcu_is_watching+0x11/0x40\n do_one_pass+0x447/0xd00\n jbd2_journal_recover+0x139/0x1b0\n jbd2_journal_load+0x96/0x390\n ext4_load_and_init_journal+0x253/0xd40\n ext4_fill_super+0x2cc6/0x3180\n...\n\nIn the replay path there\u0027s an attempt to lock sbi-\u003es_bdev_wb_lock in\nfunction ext4_check_bdev_write_error(). Unfortunately, at this point this\nspinlock has not been initialized yet. Moving it\u0027s initialization to an\nearlier point in __ext4_fill_super() fixes this splat.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-50014"
},
{
"cve": "CVE-2024-50063",
"cwe": {
"id": "CWE-841",
"name": "Improper Enforcement of Behavioral Workflow"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tail call between progs attached to different hooks\n\nbpf progs can be attached to kernel functions, and the attached functions\ncan take different parameters or return different return values. If\nprog attached to one kernel function tail calls prog attached to another\nkernel function, the ctx access or return value verification could be\nbypassed.\n\nFor example, if prog1 is attached to func1 which takes only 1 parameter\nand prog2 is attached to func2 which takes two parameters. Since verifier\nassumes the bpf ctx passed to prog2 is constructed based on func2\u0027s\nprototype, verifier allows prog2 to access the second parameter from\nthe bpf ctx passed to it. The problem is that verifier does not prevent\nprog1 from passing its bpf ctx to prog2 via tail call. In this case,\nthe bpf ctx passed to prog2 is constructed from func1 instead of func2,\nthat is, the assumption for ctx access verification is bypassed.\n\nAnother example, if BPF LSM prog1 is attached to hook file_alloc_security,\nand BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier\nknows the return value rules for these two hooks, e.g. it is legal for\nbpf_lsm_audit_rule_known to return positive number 1, and it is illegal\nfor file_alloc_security to return positive number. So verifier allows\nprog2 to return positive number 1, but does not allow prog1 to return\npositive number. The problem is that verifier does not prevent prog1\nfrom calling prog2 via tail call. In this case, prog2\u0027s return value 1\nwill be used as the return value for prog1\u0027s hook file_alloc_security.\nThat is, the return value rule is bypassed.\n\nThis patch adds restriction for tail call to prevent such bypasses.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-50063"
},
{
"cve": "CVE-2024-50164",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overloading of MEM_UNINIT\u0027s meaning\n\nLonial reported an issue in the BPF verifier where check_mem_size_reg()\nhas the following code:\n\n if (!tnum_is_const(reg-\u003evar_off))\n /* For unprivileged variable accesses, disable raw\n * mode so that the program is required to\n * initialize all the memory that the helper could\n * just partially fill up.\n */\n meta = NULL;\n\nThis means that writes are not checked when the register containing the\nsize of the passed buffer has not a fixed size. Through this bug, a BPF\nprogram can write to a map which is marked as read-only, for example,\n.rodata global maps.\n\nThe problem is that MEM_UNINIT\u0027s initial meaning that \"the passed buffer\nto the BPF helper does not need to be initialized\" which was added back\nin commit 435faee1aae9 (\"bpf, verifier: add ARG_PTR_TO_RAW_STACK type\")\ngot overloaded over time with \"the passed buffer is being written to\".\n\nThe problem however is that checks such as the above which were added later\nvia 06c1c049721a (\"bpf: allow helpers access to variable memory\") set meta\nto NULL in order force the user to always initialize the passed buffer to\nthe helper. Due to the current double meaning of MEM_UNINIT, this bypasses\nverifier write checks to the memory (not boundary checks though) and only\nassumes the latter memory is read instead.\n\nFix this by reverting MEM_UNINIT back to its original meaning, and having\nMEM_WRITE as an annotation to BPF helpers in order to then trigger the\nBPF verifier checks for writing to memory.\n\nSome notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO}\nwe can access fn-\u003earg_type[arg - 1] since it must contain a preceding\nARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed\naltogether since we do check both BPF_READ and BPF_WRITE. Same for the\nequivalent check_kfunc_mem_size_reg().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-50164"
},
{
"cve": "CVE-2024-50298",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: allocate vf_state during PF probes\n\nIn the previous implementation, vf_state is allocated memory only when VF\nis enabled. However, net_device_ops::ndo_set_vf_mac() may be called before\nVF is enabled to configure the MAC address of VF. If this is the case,\nenetc_pf_set_vf_mac() will access vf_state, resulting in access to a null\npointer. The simplified error log is as follows.\n\nroot@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89\n[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004\n[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy\n[ 173.641973] lr : do_setlink+0x4a8/0xec8\n[ 173.732292] Call trace:\n[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80\n[ 173.738847] __rtnl_newlink+0x530/0x89c\n[ 173.742692] rtnl_newlink+0x50/0x7c\n[ 173.746189] rtnetlink_rcv_msg+0x128/0x390\n[ 173.750298] netlink_rcv_skb+0x60/0x130\n[ 173.754145] rtnetlink_rcv+0x18/0x24\n[ 173.757731] netlink_unicast+0x318/0x380\n[ 173.761665] netlink_sendmsg+0x17c/0x3c8",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-50298"
},
{
"cve": "CVE-2024-53124",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix data-races around sk-\u003esk_forward_alloc\n\nSyzkaller reported this warning:\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0\n Modules linked in:\n CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:inet_sock_destruct+0x1c5/0x1e0\n Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 \u003c0f\u003e 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00\n RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206\n RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007\n RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00\n RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007\n R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00\n R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78\n FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? __warn+0x88/0x130\n ? inet_sock_destruct+0x1c5/0x1e0\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x53/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? inet_sock_destruct+0x1c5/0x1e0\n __sk_destruct+0x2a/0x200\n rcu_do_batch+0x1aa/0x530\n ? rcu_do_batch+0x13b/0x530\n rcu_core+0x159/0x2f0\n handle_softirqs+0xd3/0x2b0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n run_ksoftirqd+0x25/0x30\n smpboot_thread_fn+0xdd/0x1d0\n kthread+0xd3/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nIts possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add()\nconcurrently when sk-\u003esk_state == TCP_LISTEN with sk-\u003esk_lock unlocked,\nwhich triggers a data-race around sk-\u003esk_forward_alloc:\ntcp_v6_rcv\n tcp_v6_do_rcv\n skb_clone_and_charge_r\n sk_rmem_schedule\n __sk_mem_schedule\n sk_forward_alloc_add()\n skb_set_owner_r\n sk_mem_charge\n sk_forward_alloc_add()\n __kfree_skb\n skb_release_all\n skb_release_head_state\n sock_rfree\n sk_mem_uncharge\n sk_forward_alloc_add()\n sk_mem_reclaim\n // set local var reclaimable\n __sk_mem_reclaim\n sk_forward_alloc_add()\n\nIn this syzkaller testcase, two threads call\ntcp_v6_do_rcv() with skb-\u003etruesize=768, the sk_forward_alloc changes like\nthis:\n (cpu 1) | (cpu 2) | sk_forward_alloc\n ... | ... | 0\n __sk_mem_schedule() | | +4096 = 4096\n | __sk_mem_schedule() | +4096 = 8192\n sk_mem_charge() | | -768 = 7424\n | sk_mem_charge() | -768 = 6656\n ... | ... |\n sk_mem_uncharge() | | +768 = 7424\n reclaimable=7424 | |\n | sk_mem_uncharge() | +768 = 8192\n | reclaimable=8192 |\n __sk_mem_reclaim() | | -4096 = 4096\n | __sk_mem_reclaim() | -8192 = -4096 != 0\n\nThe skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when\nsk-\u003esk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock().\nFix the same issue in dccp_v6_do_rcv().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-53124"
},
{
"cve": "CVE-2024-53170",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags-\u003erqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-53170"
},
{
"cve": "CVE-2024-54458",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: bsg: Set bsg_queue to NULL after removal\n\nCurrently, this does not cause any issues, but I believe it is necessary to\nset bsg_queue to NULL after removing it to prevent potential use-after-free\n(UAF) access.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-54458"
},
{
"cve": "CVE-2024-56631",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sg: Fix slab-use-after-free read in sg_release()\n\nFix a use-after-free bug in sg_release(), detected by syzbot with KASAN:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30\nkernel/locking/lockdep.c:5838\n__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912\nsg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407\n\nIn sg_release(), the function kref_put(\u0026sfp-\u003ef_ref, sg_remove_sfp) is\ncalled before releasing the open_rel_lock mutex. The kref_put() call may\ndecrement the reference count of sfp to zero, triggering its cleanup\nthrough sg_remove_sfp(). This cleanup includes scheduling deferred work\nvia sg_remove_sfp_usercontext(), which ultimately frees sfp.\n\nAfter kref_put(), sg_release() continues to unlock open_rel_lock and may\nreference sfp or sdp. If sfp has already been freed, this results in a\nslab-use-after-free error.\n\nMove the kref_put(\u0026sfp-\u003ef_ref, sg_remove_sfp) call after unlocking the\nopen_rel_lock mutex. This ensures:\n\n - No references to sfp or sdp occur after the reference count is\n decremented.\n\n - Cleanup functions such as sg_remove_sfp() and\n sg_remove_sfp_usercontext() can safely execute without impacting the\n mutex handling in sg_release().\n\nThe fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures proper\nsequencing of resource cleanup and mutex operations, eliminating the\nrisk of use-after-free errors in sg_release().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-56631"
},
{
"cve": "CVE-2024-56703",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix soft lockups in fib6_select_path under high next hop churn\n\nSoft lockups have been observed on a cluster of Linux-based edge routers\nlocated in a highly dynamic environment. Using the `bird` service, these\nrouters continuously update BGP-advertised routes due to frequently\nchanging nexthop destinations, while also managing significant IPv6\ntraffic. The lockups occur during the traversal of the multipath\ncircular linked-list in the `fib6_select_path` function, particularly\nwhile iterating through the siblings in the list. The issue typically\narises when the nodes of the linked list are unexpectedly deleted\nconcurrently on a different core\u2014indicated by their \u0027next\u0027 and\n\u0027previous\u0027 elements pointing back to the node itself and their reference\ncount dropping to zero. This results in an infinite loop, leading to a\nsoft lockup that triggers a system panic via the watchdog timer.\n\nApply RCU primitives in the problematic code sections to resolve the\nissue. Where necessary, update the references to fib6_siblings to\nannotate or use the RCU APIs.\n\nInclude a test script that reproduces the issue. The script\nperiodically updates the routing table while generating a heavy load\nof outgoing IPv6 traffic through multiple iperf3 clients. It\nconsistently induces infinite soft lockups within a couple of minutes.\n\nKernel log:\n\n 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb\n 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3\n 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4\n 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03\n 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f\n 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756\n 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af\n 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d\n-- \u003cIRQ stack\u003e --\n 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb\n [exception RIP: fib6_select_path+299]\n RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287\n RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000\n RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618\n RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830\n R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c\n10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c\n11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5\n12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47\n13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0\n14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274\n15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474\n16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615\n17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec\n18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3\n19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9\n20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice]\n21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice]\n22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice]\n23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000\n24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581\n25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9\n26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47\n27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30\n28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f\n29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64\n30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-56703"
},
{
"cve": "CVE-2024-56719",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix TSO DMA API usage causing oops\n\nCommit 66600fac7a98 (\"net: stmmac: TSO: Fix unbalanced DMA map/unmap\nfor non-paged SKB data\") moved the assignment of tx_skbuff_dma[]\u0027s\nmembers to be later in stmmac_tso_xmit().\n\nThe buf (dma cookie) and len stored in this structure are passed to\ndma_unmap_single() by stmmac_tx_clean(). The DMA API requires that\nthe dma cookie passed to dma_unmap_single() is the same as the value\nreturned from dma_map_single(). However, by moving the assignment\nlater, this is not the case when priv-\u003edma_cap.addr64 \u003e 32 as \"des\"\nis offset by proto_hdr_len.\n\nThis causes problems such as:\n\n dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed\n\nand with DMA_API_DEBUG enabled:\n\n DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes]\n\nFix this by maintaining \"des\" as the original DMA cookie, and use\ntso_des to pass the offset DMA cookie to stmmac_tso_allocator().\n\nFull details of the crashes can be found at:\nhttps://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/\nhttps://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-56719"
},
{
"cve": "CVE-2024-57917",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntopology: Keep the cpumask unchanged when printing cpumap\n\nDuring fuzz testing, the following warning was discovered:\n\n different return values (15 and 11) from vsnprintf(\"%*pbl\n \", ...)\n\n test:keyward is WARNING in kvasprintf\n WARNING: CPU: 55 PID: 1168477 at lib/kasprintf.c:30 kvasprintf+0x121/0x130\n Call Trace:\n kvasprintf+0x121/0x130\n kasprintf+0xa6/0xe0\n bitmap_print_to_buf+0x89/0x100\n core_siblings_list_read+0x7e/0xb0\n kernfs_file_read_iter+0x15b/0x270\n new_sync_read+0x153/0x260\n vfs_read+0x215/0x290\n ksys_read+0xb9/0x160\n do_syscall_64+0x56/0x100\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe call trace shows that kvasprintf() reported this warning during the\nprinting of core_siblings_list. kvasprintf() has several steps:\n\n (1) First, calculate the length of the resulting formatted string.\n\n (2) Allocate a buffer based on the returned length.\n\n (3) Then, perform the actual string formatting.\n\n (4) Check whether the lengths of the formatted strings returned in\n steps (1) and (2) are consistent.\n\nIf the core_cpumask is modified between steps (1) and (3), the lengths\nobtained in these two steps may not match. Indeed our test includes cpu\nhotplugging, which should modify core_cpumask while printing.\n\nTo fix this issue, cache the cpumask into a temporary variable before\ncalling cpumap_print_{list, cpumask}_to_buf(), to keep it unchanged\nduring the printing process.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-57917"
},
{
"cve": "CVE-2024-57924",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: relax assertions on failure to encode file handles\n\nEncoding file handles is usually performed by a filesystem \u003eencode_fh()\nmethod that may fail for various reasons.\n\nThe legacy users of exportfs_encode_fh(), namely, nfsd and\nname_to_handle_at(2) syscall are ready to cope with the possibility\nof failure to encode a file handle.\n\nThere are a few other users of exportfs_encode_{fh,fid}() that\ncurrently have a WARN_ON() assertion when -\u003eencode_fh() fails.\nRelax those assertions because they are wrong.\n\nThe second linked bug report states commit 16aac5ad1fa9 (\"ovl: support\nencoding non-decodable file handles\") in v6.6 as the regressing commit,\nbut this is not accurate.\n\nThe aforementioned commit only increases the chances of the assertion\nand allows triggering the assertion with the reproducer using overlayfs,\ninotify and drop_caches.\n\nTriggering this assertion was always possible with other filesystems and\nother reasons of -\u003eencode_fh() failures and more particularly, it was\nalso possible with the exact same reproducer using overlayfs that is\nmounted with options index=on,nfs_export=on also on kernels \u003c v6.6.\nTherefore, I am not listing the aforementioned commit as a Fixes commit.\n\nBackport hint: this patch will have a trivial conflict applying to\nv6.6.y, and other trivial conflicts applying to stable kernels \u003c v6.6.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-57924"
},
{
"cve": "CVE-2024-57973",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrdma/cxgb4: Prevent potential integer overflow on 32bit\n\nThe \"gl-\u003etot_len\" variable is controlled by the user. It comes from\nprocess_responses(). On 32bit systems, the \"gl-\u003etot_len + sizeof(struct\ncpl_pass_accept_req) + sizeof(struct rss_header)\" addition could have an\ninteger wrapping bug. Use size_add() to prevent this.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-57973"
},
{
"cve": "CVE-2024-57977",
"cwe": {
"id": "CWE-667",
"name": "Improper Locking"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: fix soft lockup in the OOM process\n\nA soft lockup issue was found in the product with about 56,000 tasks were\nin the OOM cgroup, it was traversing them when the soft lockup was\ntriggered.\n\nwatchdog: BUG: soft lockup - CPU#2 stuck for 23s! [VM Thread:1503066]\nCPU: 2 PID: 1503066 Comm: VM Thread Kdump: loaded Tainted: G\nHardware name: Huawei Cloud OpenStack Nova, BIOS\nRIP: 0010:console_unlock+0x343/0x540\nRSP: 0000:ffffb751447db9a0 EFLAGS: 00000247 ORIG_RAX: ffffffffffffff13\nRAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffffffff\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000247\nRBP: ffffffffafc71f90 R08: 0000000000000000 R09: 0000000000000040\nR10: 0000000000000080 R11: 0000000000000000 R12: ffffffffafc74bd0\nR13: ffffffffaf60a220 R14: 0000000000000247 R15: 0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f2fe6ad91f0 CR3: 00000004b2076003 CR4: 0000000000360ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n vprintk_emit+0x193/0x280\n printk+0x52/0x6e\n dump_task+0x114/0x130\n mem_cgroup_scan_tasks+0x76/0x100\n dump_header+0x1fe/0x210\n oom_kill_process+0xd1/0x100\n out_of_memory+0x125/0x570\n mem_cgroup_out_of_memory+0xb5/0xd0\n try_charge+0x720/0x770\n mem_cgroup_try_charge+0x86/0x180\n mem_cgroup_try_charge_delay+0x1c/0x40\n do_anonymous_page+0xb5/0x390\n handle_mm_fault+0xc4/0x1f0\n\nThis is because thousands of processes are in the OOM cgroup, it takes a\nlong time to traverse all of them. As a result, this lead to soft lockup\nin the OOM process.\n\nTo fix this issue, call \u0027cond_resched\u0027 in the \u0027mem_cgroup_scan_tasks\u0027\nfunction per 1000 iterations. For global OOM, call\n\u0027touch_softlockup_watchdog\u0027 per 1000 iterations to avoid this issue.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-57977"
},
{
"cve": "CVE-2024-57979",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I\u0027m seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n pps pps1: removed\n ------------[ cut here ]------------\n kobject: \u0027(null)\u0027 (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : kobject_put+0x120/0x150\n lr : kobject_put+0x120/0x150\n sp : ffffffc0803d3ae0\n x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n kobject_put+0x120/0x150\n cdev_put+0x20/0x3c\n __fput+0x2c4/0x2d8\n ____fput+0x1c/0x38\n task_work_run+0x70/0xfc\n do_exit+0x2a0/0x924\n do_group_exit+0x34/0x90\n get_signal+0x7fc/0x8c0\n do_signal+0x128/0x13b4\n do_notify_resume+0xdc/0x160\n el0_svc+0xd4/0xf8\n el0t_64_sync_handler+0x140/0x14c\n el0t_64_sync+0x190/0x194\n ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n refcount_t: underflow; use-after-free.\n kernel BUG at lib/list_debug.c:62!\n Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can\u0027t explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I\u0027ve\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can\u0027t reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n pps_core: source serial1 got cdev (251:1)\n \u003c...\u003e\n pps pps1: removed\n pps_core: unregistering pps1\n pps_core: deallocating pps1",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-57979"
},
{
"cve": "CVE-2024-58011",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: int3472: Check for adev == NULL\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL. This\ncan e.g. (theoretically) happen when a user manually binds one of\nthe int3472 drivers to another i2c/platform device through sysfs.\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58011"
},
{
"cve": "CVE-2024-58016",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsafesetid: check size of policy writes\n\nsyzbot attempts to write a buffer with a large size to a sysfs entry\nwith writes handled by handle_policy_update(), triggering a warning\nin kmalloc.\n\nCheck the size specified for write buffers before allocating.\n\n[PM: subject tweak]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58016"
},
{
"cve": "CVE-2024-58020",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Add NULL check in mt_input_configured\n\ndevm_kasprintf() can return a NULL pointer on failure,but this\nreturned value in mt_input_configured() is not checked.\nAdd NULL check in mt_input_configured(), to handle kernel NULL\npointer dereference error.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58020"
},
{
"cve": "CVE-2024-58056",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Fix ida_free call while not allocated\n\nIn the rproc_alloc() function, on error, put_device(\u0026rproc-\u003edev) is\ncalled, leading to the call of the rproc_type_release() function.\nAn error can occurs before ida_alloc is called.\n\nIn such case in rproc_type_release(), the condition (rproc-\u003eindex \u003e= 0) is\ntrue as rproc-\u003eindex has been initialized to 0.\nida_free() is called reporting a warning:\n[ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164\n[ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0\n[ 4.188854] ida_free called for id=0 which is not allocated.\n[ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000\n[ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)\n[ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442\n[ 4.231481] Hardware name: STM32 (Device Tree Support)\n[ 4.236627] Workqueue: events_unbound deferred_probe_work_func\n[ 4.242504] Call trace:\n[ 4.242522] unwind_backtrace from show_stack+0x10/0x14\n[ 4.250218] show_stack from dump_stack_lvl+0x50/0x64\n[ 4.255274] dump_stack_lvl from __warn+0x80/0x12c\n[ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188\n[ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164\n[ 4.270565] ida_free from rproc_type_release+0x38/0x60\n[ 4.275832] rproc_type_release from device_release+0x30/0xa0\n[ 4.281601] device_release from kobject_put+0xc4/0x294\n[ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c\n[ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4\n[ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]\n[ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc\n\nCalling ida_alloc earlier in rproc_alloc ensures that the rproc-\u003eindex is\nproperly set.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58056"
},
{
"cve": "CVE-2024-58058",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: skip dumping tnc tree when zroot is null\n\nClearing slab cache will free all znode in memory and make\nc-\u003ezroot.znode = NULL, then dumping tnc tree will access\nc-\u003ezroot.znode which cause null pointer dereference.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58058"
},
{
"cve": "CVE-2024-58061",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: prohibit deactivating all links\n\nIn the internal API this calls this is a WARN_ON, but that\nshould remain since internally we want to know about bugs\nthat may cause this. Prevent deactivating all links in the\ndebugfs write directly.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58061"
},
{
"cve": "CVE-2024-58086",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Stop active perfmon if it is being destroyed\n\nIf the active performance monitor (`v3d-\u003eactive_perfmon`) is being\ndestroyed, stop it first. Currently, the active perfmon is not\nstopped during destruction, leaving the `v3d-\u003eactive_perfmon` pointer\nstale. This can lead to undefined behavior and instability.\n\nThis patch ensures that the active perfmon is stopped before being\ndestroyed, aligning with the behavior introduced in commit\n7d1fd3638ee3 (\"drm/v3d: Stop the active perfmon before being destroyed\").",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2024-58086"
},
{
"cve": "CVE-2025-21645",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it\n\nWakeup for IRQ1 should be disabled only in cases where i8042 had\nactually enabled it, otherwise \"wake_depth\" for this IRQ will try to\ndrop below zero and there will be an unpleasant WARN() logged:\n\nkernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug\nkernel: ------------[ cut here ]------------\nkernel: Unbalanced IRQ 1 wake disable\nkernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0\n\nThe PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops\nwhich sets amd_pmc_suspend_handler() to the .suspend, .freeze, and\n.poweroff handlers. i8042_pm_suspend(), however, is only set as\nthe .suspend handler.\n\nFix the issue by call PMC suspend handler only from the same set of\ndev_pm_ops handlers as i8042_pm_suspend(), which currently means just\nthe .suspend handler.\n\nTo reproduce this issue try hibernating (S4) the machine after a fresh boot\nwithout putting it into s2idle first.\n\n[ij: edited the commit message.]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21645"
},
{
"cve": "CVE-2025-21648",
"cwe": {
"id": "CWE-789",
"name": "Memory Allocation with Excessive Size Value"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: clamp maximum hashtable size to INT_MAX\n\nUse INT_MAX as maximum size for the conntrack hashtable. Otherwise, it\nis possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when\nresizing hashtable because __GFP_NOWARN is unset. See:\n\n 0708a0afe291 (\"mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls\")\n\nNote: hashtable resize is only possible from init_netns.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21648"
},
{
"cve": "CVE-2025-21655",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/eventfd: ensure io_eventfd_signal() defers another RCU period\n\nio_eventfd_do_signal() is invoked from an RCU callback, but when\ndropping the reference to the io_ev_fd, it calls io_eventfd_free()\ndirectly if the refcount drops to zero. This isn\u0027t correct, as any\npotential freeing of the io_ev_fd should be deferred another RCU grace\nperiod.\n\nJust call io_eventfd_put() rather than open-code the dec-and-test and\nfree, which will correctly defer it another RCU grace period.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21655"
},
{
"cve": "CVE-2025-21676",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: handle page_pool_dev_alloc_pages error\n\nThe fec_enet_update_cbd function calls page_pool_dev_alloc_pages but did\nnot handle the case when it returned NULL. There was a WARN_ON(!new_page)\nbut it would still proceed to use the NULL pointer and then crash.\n\nThis case does seem somewhat rare but when the system is under memory\npressure it can happen. One case where I can duplicate this with some\nfrequency is when writing over a smbd share to a SATA HDD attached to an\nimx6q.\n\nSetting /proc/sys/vm/min_free_kbytes to higher values also seems to solve\nthe problem for my test case. But it still seems wrong that the fec driver\nignores the memory allocation error and can crash.\n\nThis commit handles the allocation error by dropping the current packet.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21676"
},
{
"cve": "CVE-2025-21682",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: always recalculate features after XDP clearing, fix null-deref\n\nRecalculate features when XDP is detached.\n\nBefore:\n # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n # ip li set dev eth0 xdp off\n # ethtool -k eth0 | grep gro\n rx-gro-hw: off [requested on]\n\nAfter:\n # ip li set dev eth0 xdp obj xdp_dummy.bpf.o sec xdp\n # ip li set dev eth0 xdp off\n # ethtool -k eth0 | grep gro\n rx-gro-hw: on\n\nThe fact that HW-GRO doesn\u0027t get re-enabled automatically is just\na minor annoyance. The real issue is that the features will randomly\ncome back during another reconfiguration which just happens to invoke\nnetdev_update_features(). The driver doesn\u0027t handle reconfiguring\ntwo things at a time very robustly.\n\nStarting with commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") we only reconfigure the RSS hash table\nif the \"effective\" number of Rx rings has changed. If HW-GRO is\nenabled \"effective\" number of rings is 2x what user sees.\nSo if we are in the bad state, with HW-GRO re-enablement \"pending\"\nafter XDP off, and we lower the rings by / 2 - the HW-GRO rings\ndoing 2x and the ethtool -L doing / 2 may cancel each other out,\nand the:\n\n if (old_rx_rings != bp-\u003ehw_resc.resv_rx_rings \u0026\u0026\n\ncondition in __bnxt_reserve_rings() will be false.\nThe RSS map won\u0027t get updated, and we\u0027ll crash with:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000168\n RIP: 0010:__bnxt_hwrm_vnic_set_rss+0x13a/0x1a0\n bnxt_hwrm_vnic_rss_cfg_p5+0x47/0x180\n __bnxt_setup_vnic_p5+0x58/0x110\n bnxt_init_nic+0xb72/0xf50\n __bnxt_open_nic+0x40d/0xab0\n bnxt_open_nic+0x2b/0x60\n ethtool_set_channels+0x18c/0x1d0\n\nAs we try to access a freed ring.\n\nThe issue is present since XDP support was added, really, but\nprior to commit 98ba1d931f61 (\"bnxt_en: Fix RSS logic in\n__bnxt_reserve_rings()\") it wasn\u0027t causing major issues.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21682"
},
{
"cve": "CVE-2025-21702",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch-\u003elimit == 0\n\nExpected behaviour:\nIn case we reach scheduler\u0027s limit, pfifo_tail_enqueue() will drop a\npacket in scheduler\u0027s queue and decrease scheduler\u0027s qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler\u0027s qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch-\u003elimit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the \u0027drop a packet\u0027 step will do nothing.\nThis means the scheduler\u0027s qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler\u0027s qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet\u0027s say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A\u0027s type must have \u0027-\u003egraft()\u0027 function to create parent/child relationship.\n Let\u0027s say Qdisc_A\u0027s type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B\u0027s type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch-\u003elimit == 0`.\n - Qdisc_A is configured to route the enqueued\u0027s packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -\u003e pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B-\u003eq.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` =\u003e hfsc_enqueue() don\u0027t increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A-\u003eq.qlen == 0 and Qdisc_B-\u003eq.qlen == 1.\nReplace \u0027hfsc\u0027 with other type (for example: \u0027drr\u0027) still lead to the same problem.\nThis violate the design where parent\u0027s qlen should equal to the sum of its childrens\u0027qlen.\n\nBug impact: This issue can be used for user-\u003ekernel privilege escalation when it is reachable.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21702"
},
{
"cve": "CVE-2025-21705",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: handle fastopen disconnect correctly\n\nSyzbot was able to trigger a data stream corruption:\n\n WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n Modules linked in:\n CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\n RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024\n Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 \u003c0f\u003e 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07\n RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293\n RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928\n R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000\n R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000\n FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074\n mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493\n release_sock+0x1aa/0x1f0 net/core/sock.c:3640\n inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]\n __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703\n mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755\n mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f6e86ebfe69\n Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69\n RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003\n RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc\n R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508\n \u003c/TASK\u003e\n\nThe root cause is the bad handling of disconnect() generated internally\nby the MPTCP protocol in case of connect FASTOPEN errors.\n\nAddress the issue increasing the socket disconnect counter even on such\na case, to allow other threads waiting on the same socket lock to\nproperly error out.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21705"
},
{
"cve": "CVE-2025-21706",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith the in-kernel path-manager, it is possible to change the \u0027fullmesh\u0027\nflag. The code in mptcp_pm_nl_fullmesh() expects to change it only on\n\u0027subflow\u0027 endpoints, to recreate more or less subflows using the linked\naddress.\n\nUnfortunately, the set_flags() hook was a bit more permissive, and\nallowed \u0027implicit\u0027 endpoints to get the \u0027fullmesh\u0027 flag while it is not\nallowed before.\n\nThat\u0027s what syzbot found, triggering the following warning:\n\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 __mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n WARNING: CPU: 0 PID: 6499 at net/mptcp/pm_netlink.c:1496 mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Modules linked in:\n CPU: 0 UID: 0 PID: 6499 Comm: syz.1.413 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_netlink.c:1496 [inline]\n RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_netlink.c:1980 [inline]\n RIP: 0010:mptcp_nl_set_flags net/mptcp/pm_netlink.c:2003 [inline]\n RIP: 0010:mptcp_pm_nl_set_flags+0x974/0xdc0 net/mptcp/pm_netlink.c:2064\n Code: 01 00 00 49 89 c5 e8 fb 45 e8 f5 e9 b8 fc ff ff e8 f1 45 e8 f5 4c 89 f7 be 03 00 00 00 e8 44 1d 0b f9 eb a0 e8 dd 45 e8 f5 90 \u003c0f\u003e 0b 90 e9 17 ff ff ff 89 d9 80 e1 07 38 c1 0f 8c c9 fc ff ff 48\n RSP: 0018:ffffc9000d307240 EFLAGS: 00010293\n RAX: ffffffff8bb72e03 RBX: 0000000000000000 RCX: ffff88807da88000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc9000d307430 R08: ffffffff8bb72cf0 R09: 1ffff1100b842a5e\n R10: dffffc0000000000 R11: ffffed100b842a5f R12: ffff88801e2e5ac0\n R13: ffff88805c214800 R14: ffff88805c2152e8 R15: 1ffff1100b842a5d\n FS: 00005555619f6500(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020002840 CR3: 00000000247e6000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2542\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1347\n netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1891\n sock_sendmsg_nosec net/socket.c:711 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:726\n ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583\n ___sys_sendmsg net/socket.c:2637 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2669\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f5fe8785d29\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007fff571f5558 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f5fe8975fa0 RCX: 00007f5fe8785d29\n RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000007\n RBP: 00007f5fe8801b08 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 00007f5fe8975fa0 R14: 00007f5fe8975fa0 R15: 000000\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21706"
},
{
"cve": "CVE-2025-21707",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: consolidate suboption status\n\nMPTCP maintains the received sub-options status is the bitmask carrying\nthe received suboptions and in several bitfields carrying per suboption\nadditional info.\n\nZeroing the bitmask before parsing is not enough to ensure a consistent\nstatus, and the MPTCP code has to additionally clear some bitfiled\ndepending on the actually parsed suboption.\n\nThe above schema is fragile, and syzbot managed to trigger a path where\na relevant bitfield is not cleared/initialized:\n\n BUG: KMSAN: uninit-value in __mptcp_expand_seq net/mptcp/options.c:1030 [inline]\n BUG: KMSAN: uninit-value in mptcp_expand_seq net/mptcp/protocol.h:864 [inline]\n BUG: KMSAN: uninit-value in ack_update_msk net/mptcp/options.c:1060 [inline]\n BUG: KMSAN: uninit-value in mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209\n __mptcp_expand_seq net/mptcp/options.c:1030 [inline]\n mptcp_expand_seq net/mptcp/protocol.h:864 [inline]\n ack_update_msk net/mptcp/options.c:1060 [inline]\n mptcp_incoming_options+0x2036/0x3d30 net/mptcp/options.c:1209\n tcp_data_queue+0xb4/0x7be0 net/ipv4/tcp_input.c:5233\n tcp_rcv_established+0x1061/0x2510 net/ipv4/tcp_input.c:6264\n tcp_v4_do_rcv+0x7f3/0x11a0 net/ipv4/tcp_ipv4.c:1916\n tcp_v4_rcv+0x51df/0x5750 net/ipv4/tcp_ipv4.c:2351\n ip_protocol_deliver_rcu+0x2a3/0x13d0 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:460 [inline]\n ip_rcv_finish+0x4a2/0x520 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0xcd/0x380 net/ipv4/ip_input.c:567\n __netif_receive_skb_one_core net/core/dev.c:5704 [inline]\n __netif_receive_skb+0x319/0xa00 net/core/dev.c:5817\n process_backlog+0x4ad/0xa50 net/core/dev.c:6149\n __napi_poll+0xe7/0x980 net/core/dev.c:6902\n napi_poll net/core/dev.c:6971 [inline]\n net_rx_action+0xa5a/0x19b0 net/core/dev.c:7093\n handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n __do_softirq+0x14/0x1a kernel/softirq.c:595\n do_softirq+0x9a/0x100 kernel/softirq.c:462\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4493\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_hh_output include/net/neighbour.h:523 [inline]\n neigh_output include/net/neighbour.h:537 [inline]\n ip_finish_output2+0x187c/0x1b70 net/ipv4/ip_output.c:236\n __ip_finish_output+0x287/0x810\n ip_finish_output+0x4b/0x600 net/ipv4/ip_output.c:324\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip_output+0x15f/0x3f0 net/ipv4/ip_output.c:434\n dst_output include/net/dst.h:450 [inline]\n ip_local_out net/ipv4/ip_output.c:130 [inline]\n __ip_queue_xmit+0x1f2a/0x20d0 net/ipv4/ip_output.c:536\n ip_queue_xmit+0x60/0x80 net/ipv4/ip_output.c:550\n __tcp_transmit_skb+0x3cea/0x4900 net/ipv4/tcp_output.c:1468\n tcp_transmit_skb net/ipv4/tcp_output.c:1486 [inline]\n tcp_write_xmit+0x3b90/0x9070 net/ipv4/tcp_output.c:2829\n __tcp_push_pending_frames+0xc4/0x380 net/ipv4/tcp_output.c:3012\n tcp_send_fin+0x9f6/0xf50 net/ipv4/tcp_output.c:3618\n __tcp_close+0x140c/0x1550 net/ipv4/tcp.c:3130\n __mptcp_close_ssk+0x74e/0x16f0 net/mptcp/protocol.c:2496\n mptcp_close_ssk+0x26b/0x2c0 net/mptcp/protocol.c:2550\n mptcp_pm_nl_rm_addr_or_subflow+0x635/0xd10 net/mptcp/pm_netlink.c:889\n mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:924 [inline]\n mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_netlink.c:1688 [inline]\n mptcp_nl_flush_addrs_list net/mptcp/pm_netlink.c:1709 [inline]\n mptcp_pm_nl_flush_addrs_doit+0xe10/0x1630 net/mptcp/pm_netlink.c:1750\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n \n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21707"
},
{
"cve": "CVE-2025-21718",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix timer races against user threads\n\nRose timers only acquire the socket spinlock, without\nchecking if the socket is owned by one user thread.\n\nAdd a check and rearm the timers if needed.\n\nBUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\nRead of size 2 at addr ffff88802f09b82a by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\n call_timer_fn+0x187/0x650 kernel/time/timer.c:1793\n expire_timers kernel/time/timer.c:1844 [inline]\n __run_timers kernel/time/timer.c:2418 [inline]\n __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430\n run_timer_base kernel/time/timer.c:2439 [inline]\n run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049\n \u003c/IRQ\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21718"
},
{
"cve": "CVE-2025-21731",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: don\u0027t allow reconnect after disconnect\n\nFollowing process can cause nbd_config UAF:\n\n1) grab nbd_config temporarily;\n\n2) nbd_genl_disconnect() flush all recv_work() and release the\ninitial reference:\n\n nbd_genl_disconnect\n nbd_disconnect_and_put\n nbd_disconnect\n flush_workqueue(nbd-\u003erecv_workq)\n if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))\n nbd_config_put\n -\u003e due to step 1), reference is still not zero\n\n3) nbd_genl_reconfigure() queue recv_work() again;\n\n nbd_genl_reconfigure\n config = nbd_get_config_unlocked(nbd)\n if (!config)\n -\u003e succeed\n if (!test_bit(NBD_RT_BOUND, ...))\n -\u003e succeed\n nbd_reconnect_socket\n queue_work(nbd-\u003erecv_workq, \u0026args-\u003ework)\n\n4) step 1) release the reference;\n\n5) Finially, recv_work() will trigger UAF:\n\n recv_work\n nbd_config_put(nbd)\n -\u003e nbd_config is freed\n atomic_dec(\u0026config-\u003erecv_threads)\n -\u003e UAF\n\nFix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so\nthat nbd_genl_reconfigure() will fail.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21731"
},
{
"cve": "CVE-2025-21745",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix class @block_class\u0027s subsystem refcount leakage\n\nblkcg_fill_root_iostats() iterates over @block_class\u0027s devices by\nclass_dev_iter_(init|next)(), but does not end iterating with\nclass_dev_iter_exit(), so causes the class\u0027s subsystem refcount leakage.\n\nFix by ending the iterating with class_dev_iter_exit().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21745"
},
{
"cve": "CVE-2025-21758",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: add RCU protection to mld_newpack()\n\nmld_newpack() can be called without RTNL or RCU being held.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net-\u003eipv6.igmp_sk\nsocket under RCU protection.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21758"
},
{
"cve": "CVE-2025-21760",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: extend RCU protection in ndisc_send_skb()\n\nndisc_send_skb() can be called without RTNL or RCU held.\n\nAcquire rcu_read_lock() earlier, so that we can use dev_net_rcu()\nand avoid a potential UAF.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21760"
},
{
"cve": "CVE-2025-21764",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nndisc: use RCU protection in ndisc_alloc_skb()\n\nndisc_alloc_skb() can be called without RTNL or RCU being held.\n\nAdd RCU protection to avoid possible UAF.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21764"
},
{
"cve": "CVE-2025-21765",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU protection in ip6_default_advmss()\n\nip6_default_advmss() needs rcu protection to make\nsure the net structure it reads does not disappear.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21765"
},
{
"cve": "CVE-2025-21780",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()\n\nIt malicious user provides a small pptable through sysfs and then\na bigger pptable, it may cause buffer overflow attack in function\nsmu_sys_set_pp_table().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21780"
},
{
"cve": "CVE-2025-21795",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix hang in nfsd4_shutdown_callback\n\nIf nfs4_client is in courtesy state then there is no point to send\nthe callback. This causes nfsd4_shutdown_callback to hang since\ncl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP\nnotifies NFSD that the connection was dropped.\n\nThis patch modifies nfsd4_run_cb_work to skip the RPC call if\nnfs4_client is in courtesy state.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21795"
},
{
"cve": "CVE-2025-21796",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing them\n\nIf getting acl_default fails, acl_access and acl_default will be released\nsimultaneously. However, acl_access will still retain a pointer pointing\nto the released posix_acl, which will trigger a WARNING in\nnfs3svc_release_getacl like this:\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28\nrefcount_warn_saturate+0xb5/0x170\nModules linked in:\nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted\n6.12.0-rc6-00079-g04ae226af01f-dirty #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb5/0x170\nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75\ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff \u003c0f\u003e 0b eb\ncd 0f b6 1d 8a3\nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380\nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56\nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0\nFS: 0000000000000000(0000) GS:ffff88871ed00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0xb5/0x170\n ? __warn+0xa5/0x140\n ? refcount_warn_saturate+0xb5/0x170\n ? report_bug+0x1b1/0x1e0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? tick_nohz_tick_stopped+0x1e/0x40\n ? refcount_warn_saturate+0xb5/0x170\n ? refcount_warn_saturate+0xb5/0x170\n nfs3svc_release_getacl+0xc9/0xe0\n svc_process_common+0x5db/0xb60\n ? __pfx_svc_process_common+0x10/0x10\n ? __rcu_read_unlock+0x69/0xa0\n ? __pfx_nfsd_dispatch+0x10/0x10\n ? svc_xprt_received+0xa1/0x120\n ? xdr_init_decode+0x11d/0x190\n svc_process+0x2a7/0x330\n svc_handle_xprt+0x69d/0x940\n svc_recv+0x180/0x2d0\n nfsd+0x168/0x200\n ? __pfx_nfsd+0x10/0x10\n kthread+0x1a2/0x1e0\n ? kthread+0xf4/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nClear acl_access/acl_default after posix_acl_release is called to prevent\nUAF from being triggered.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21796"
},
{
"cve": "CVE-2025-21802",
"cwe": {
"id": "CWE-413",
"name": "Improper Resource Locking"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix oops when unload drivers paralleling\n\nWhen unload hclge driver, it tries to disable sriov first for each\nae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at\nthe time, because it removes all the ae_dev nodes, and it may cause\noops.\n\nBut we can\u0027t simply use hnae3_common_lock for this. Because in the\nprocess flow of pci_disable_sriov(), it will trigger the remove flow\nof VF, which will also take hnae3_common_lock.\n\nTo fixes it, introduce a new mutex to protect the unload process.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21802"
},
{
"cve": "CVE-2025-21814",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: Ensure info-\u003eenable callback is always set\n\nThe ioctl and sysfs handlers unconditionally call the -\u003eenable callback.\nNot all drivers implement that callback, leading to NULL dereferences.\nExample of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.\n\nInstead use a dummy callback if no better was specified by the driver.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21814"
},
{
"cve": "CVE-2025-21846",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nacct: perform last write from workqueue\n\nIn [1] it was reported that the acct(2) system call can be used to\ntrigger NULL deref in cases where it is set to write to a file that\ntriggers an internal lookup. This can e.g., happen when pointing acc(2)\nto /sys/power/resume. At the point the where the write to this file\nhappens the calling task has already exited and called exit_fs(). A\nlookup will thus trigger a NULL-deref when accessing current-\u003efs.\n\nReorganize the code so that the the final write happens from the\nworkqueue but with the caller\u0027s credentials. This preserves the\n(strange) permission model and has almost no regression risk.\n\nThis api should stop to exist though.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21846"
},
{
"cve": "CVE-2025-21853",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: avoid holding freeze_mutex during mmap operation\n\nWe use map-\u003efreeze_mutex to prevent races between map_freeze() and\nmemory mapping BPF map contents with writable permissions. The way we\nnaively do this means we\u0027ll hold freeze_mutex for entire duration of all\nthe mm and VMA manipulations, which is completely unnecessary. This can\npotentially also lead to deadlocks, as reported by syzbot in [0].\n\nSo, instead, hold freeze_mutex only during writeability checks, bump\n(proactively) \"write active\" count for the map, unlock the mutex and\nproceed with mmap logic. And only if something went wrong during mmap\nlogic, then undo that \"write active\" counter increment.\n\n [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21853"
},
{
"cve": "CVE-2025-21861",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate_device: don\u0027t add folio to be freed to LRU in migrate_device_finalize()\n\nIf migration succeeded, we called\nfolio_migrate_flags()-\u003emem_cgroup_migrate() to migrate the memcg from the\nold to the new folio. This will set memcg_data of the old folio to 0.\n\nSimilarly, if migration failed, memcg_data of the dst folio is left unset.\n\nIf we call folio_putback_lru() on such folios (memcg_data == 0), we will\nadd the folio to be freed to the LRU, making memcg code unhappy. Running\nthe hmm selftests:\n\n # ./hmm-tests\n ...\n # RUN hmm.hmm_device_private.migrate ...\n [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00\n [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)\n [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9\n [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000\n [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg \u0026\u0026 !mem_cgroup_disabled())\n [ 102.087230][T14893] ------------[ cut here ]------------\n [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.090478][T14893] Modules linked in:\n [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151\n [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.096104][T14893] Code: ...\n [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293\n [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426\n [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880\n [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000\n [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8\n [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000\n [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000\n [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0\n [ 102.113478][T14893] PKRU: 55555554\n [ 102.114172][T14893] Call Trace:\n [ 102.114805][T14893] \u003cTASK\u003e\n [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.116547][T14893] ? __warn.cold+0x110/0x210\n [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.118667][T14893] ? report_bug+0x1b9/0x320\n [ 102.119571][T14893] ? handle_bug+0x54/0x90\n [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50\n [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20\n [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0\n [ 102.123506][T14893] ? dump_page+0x4f/0x60\n [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170\n [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200\n [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720\n [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10\n [ 102.129550][T14893] folio_putback_lru+0x16/0x80\n [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530\n [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0\n [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80\n\nLikely, nothing else goes wrong: putting the last folio reference will\nremove the folio from the LRU again. So besides memcg complaining, adding\nthe folio to be freed to the LRU is just an unnecessary step.\n\nThe new flow resembles what we have in migrate_folio_move(): add the dst\nto the lru, rem\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21861"
},
{
"cve": "CVE-2025-21864",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: drop secpath at the same time as we currently drop dst\n\nXiumei reported hitting the WARN in xfrm6_tunnel_net_exit while\nrunning tests that boil down to:\n - create a pair of netns\n - run a basic TCP test over ipcomp6\n - delete the pair of netns\n\nThe xfrm_state found on spi_byaddr was not deleted at the time we\ndelete the netns, because we still have a reference on it. This\nlingering reference comes from a secpath (which holds a ref on the\nxfrm_state), which is still attached to an skb. This skb is not\nleaked, it ends up on sk_receive_queue and then gets defer-free\u0027d by\nskb_attempt_defer_free.\n\nThe problem happens when we defer freeing an skb (push it on one CPU\u0027s\ndefer_list), and don\u0027t flush that list before the netns is deleted. In\nthat case, we still have a reference on the xfrm_state that we don\u0027t\nexpect at this point.\n\nWe already drop the skb\u0027s dst in the TCP receive path when it\u0027s no\nlonger needed, so let\u0027s also drop the secpath. At this point,\ntcp_filter has already called into the LSM hooks that may require the\nsecpath, so it should not be needed anymore. However, in some of those\nplaces, the MPTCP extension has just been attached to the skb, so we\ncannot simply drop all extensions.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21864"
},
{
"cve": "CVE-2025-21867",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()\n\nKMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The\ncause of the issue was that eth_skb_pkt_type() accessed skb\u0027s data\nthat didn\u0027t contain an Ethernet header. This occurs when\nbpf_prog_test_run_xdp() passes an invalid value as the user_data\nargument to bpf_test_init().\n\nFix this by returning an error when user_data is less than ETH_HLEN in\nbpf_test_init(). Additionally, remove the check for \"if (user_size \u003e\nsize)\" as it is unnecessary.\n\n[1]\nBUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]\nBUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165\n eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]\n eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165\n __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635\n xdp_recv_frames net/bpf/test_run.c:272 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318\n bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371\n __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777\n __do_sys_bpf kernel/bpf/syscall.c:5866 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5864 [inline]\n __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864\n x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1056 [inline]\n free_unref_page+0x156/0x1320 mm/page_alloc.c:2657\n __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838\n bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]\n ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235\n bpf_map_free kernel/bpf/syscall.c:838 [inline]\n bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310\n worker_thread+0xedf/0x1550 kernel/workqueue.c:3391\n kthread+0x535/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nCPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21867"
},
{
"cve": "CVE-2025-21875",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Modules linked in:\n CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 \u003c0f\u003e 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:733\n ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n ___sys_sendmsg net/socket.c:2627 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2659\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7e9998cde9\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21875"
},
{
"cve": "CVE-2025-21887",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up\n\nThe issue was caused by dput(upper) being called before\novl_dentry_update_reval(), while upper-\u003ed_flags was still\naccessed in ovl_dentry_remote().\n\nMove dput(upper) after its last use to prevent use-after-free.\n\nBUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\nBUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\n ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n ovl_link_up fs/overlayfs/copy_up.c:610 [inline]\n ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170\n ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223\n ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136\n vfs_rename+0xf84/0x20a0 fs/namei.c:4893\n...\n \u003c/TASK\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21887"
},
{
"cve": "CVE-2025-21913",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()\n\nXen doesn\u0027t offer MSR_FAM10H_MMIO_CONF_BASE to all guests. This results\nin the following warning:\n\n unchecked MSR access error: RDMSR from 0xc0010058 at rIP: 0xffffffff8101d19f (xen_do_read_msr+0x7f/0xa0)\n Call Trace:\n xen_read_msr+0x1e/0x30\n amd_get_mmconfig_range+0x2b/0x80\n quirk_amd_mmconfig_area+0x28/0x100\n pnp_fixup_device+0x39/0x50\n __pnp_add_device+0xf/0x150\n pnp_add_device+0x3d/0x100\n pnpacpi_add_device_handler+0x1f9/0x280\n acpi_ns_get_device_callback+0x104/0x1c0\n acpi_ns_walk_namespace+0x1d0/0x260\n acpi_get_devices+0x8a/0xb0\n pnpacpi_init+0x50/0x80\n do_one_initcall+0x46/0x2e0\n kernel_init_freeable+0x1da/0x2f0\n kernel_init+0x16/0x1b0\n ret_from_fork+0x30/0x50\n ret_from_fork_asm+0x1b/0x30\n\nbased on quirks for a \"PNP0c01\" device. Treating MMCFG as disabled is the\nright course of action, so no change is needed there.\n\nThis was most likely exposed by fixing the Xen MSR accessors to not be\nsilently-safe.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21913"
},
{
"cve": "CVE-2025-21919",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\n\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21919"
},
{
"cve": "CVE-2025-21925",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: do not use skb_get() before dev_queue_xmit()\n\nsyzbot is able to crash hosts [1], using llc and devices\nnot supporting IFF_TX_SKB_SHARING.\n\nIn this case, e1000 driver calls eth_skb_pad(), while\nthe skb is shared.\n\nSimply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c\n\nNote that e1000 driver might have an issue with pktgen,\nbecause it does not clear IFF_TX_SKB_SHARING, this is an\northogonal change.\n\nWe need to audit other skb_get() uses in net/llc.\n\n[1]\n\nkernel BUG at net/core/skbuff.c:2178 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 16371 Comm: syz.2.2764 Not tainted 6.14.0-rc4-syzkaller-00052-gac9c34d1e45a #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:pskb_expand_head+0x6ce/0x1240 net/core/skbuff.c:2178\nCall Trace:\n \u003cTASK\u003e\n __skb_pad+0x18a/0x610 net/core/skbuff.c:2466\n __skb_put_padto include/linux/skbuff.h:3843 [inline]\n skb_put_padto include/linux/skbuff.h:3862 [inline]\n eth_skb_pad include/linux/etherdevice.h:656 [inline]\n e1000_xmit_frame+0x2d99/0x5800 drivers/net/ethernet/intel/e1000/e1000_main.c:3128\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3806 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3822\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:4045 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4621\n dev_queue_xmit include/linux/netdevice.h:3313 [inline]\n llc_sap_action_send_test_c+0x268/0x320 net/llc/llc_s_ac.c:144\n llc_exec_sap_trans_actions net/llc/llc_sap.c:153 [inline]\n llc_sap_next_state net/llc/llc_sap.c:182 [inline]\n llc_sap_state_process+0x239/0x510 net/llc/llc_sap.c:209\n llc_ui_sendmsg+0xd0d/0x14e0 net/llc/af_llc.c:993\n sock_sendmsg_nosec net/socket.c:718 [inline]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21925"
},
{
"cve": "CVE-2025-21926",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan)\n RIP: 0010:ip_rcv_core+0x8b2/0xca0\n Call Trace:\n ip_rcv+0xab/0x6e0\n __netif_receive_skb_one_core+0x168/0x1b0\n process_backlog+0x384/0x1100\n __napi_poll.constprop.0+0xa1/0x370\n net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n goes through queue_gso_packets and then __udp_gso_segment, where its\n destructor is removed.\n2. The segments\u0027 data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21926"
},
{
"cve": "CVE-2025-21938",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix \u0027scheduling while atomic\u0027 in mptcp_pm_nl_append_new_local_addr\n\nIf multiple connection requests attempt to create an implicit mptcp\nendpoint in parallel, more than one caller may end up in\nmptcp_pm_nl_append_new_local_addr because none found the address in\nlocal_addr_list during their call to mptcp_pm_nl_get_local_id. In this\ncase, the concurrent new_local_addr calls may delete the address entry\ncreated by the previous caller. These deletes use synchronize_rcu, but\nthis is not permitted in some of the contexts where this function may be\ncalled. During packet recv, the caller may be in a rcu read critical\nsection and have preemption disabled.\n\nAn example stack:\n\n BUG: scheduling while atomic: swapper/2/0/0x00000302\n\n Call Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))\n dump_stack (lib/dump_stack.c:124)\n __schedule_bug (kernel/sched/core.c:5943)\n schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)\n __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)\n schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)\n schedule_timeout (kernel/time/timer.c:2160)\n wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)\n __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)\n synchronize_rcu (kernel/rcu/tree.c:3609)\n mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)\n mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)\n mptcp_pm_get_local_id (net/mptcp/pm.c:420)\n subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)\n subflow_v4_route_req (net/mptcp/subflow.c:305)\n tcp_conn_request (net/ipv4/tcp_input.c:7216)\n subflow_v4_conn_request (net/mptcp/subflow.c:651)\n tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)\n tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)\n tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))\n ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)\n ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)\n ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)\n ip_sublist_rcv (net/ipv4/ip_input.c:640)\n ip_list_rcv (net/ipv4/ip_input.c:675)\n __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)\n netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)\n napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)\n igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb\n __napi_poll (net/core/dev.c:6582)\n net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)\n handle_softirqs (kernel/softirq.c:553)\n __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)\n irq_exit_rcu (kernel/softirq.c:651)\n common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))\n \u003c/IRQ\u003e\n\nThis problem seems particularly prevalent if the user advertises an\nendpoint that has a different external vs internal address. In the case\nwhere the external address is advertised and multiple connections\nalready exist, multiple subflow SYNs arrive in parallel which tends to\ntrigger the race during creation of the first local_addr_list entries\nwhich have the internal address instead.\n\nFix by skipping the replacement of an existing implicit local address if\ncalled via mptcp_pm_nl_get_local_id.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21938"
},
{
"cve": "CVE-2025-21959",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()\n\nSince commit b36e4523d4d5 (\"netfilter: nf_conncount: fix garbage\ncollection confirm race\"), `cpu` and `jiffies32` were introduced to\nthe struct nf_conncount_tuple.\n\nThe commit made nf_conncount_add() initialize `conn-\u003ecpu` and\n`conn-\u003ejiffies32` when allocating the struct.\nIn contrast, count_tree() was not changed to initialize them.\n\nBy commit 34848d5c896e (\"netfilter: nf_conncount: Split insert and\ntraversal\"), count_tree() was split and the relevant allocation\ncode now resides in insert_tree().\nInitialize `conn-\u003ecpu` and `conn-\u003ejiffies32` in insert_tree().\n\nBUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]\nBUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n find_or_evict net/netfilter/nf_conncount.c:117 [inline]\n __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n count_tree net/netfilter/nf_conncount.c:438 [inline]\n nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669\n __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]\n __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983\n __netif_receive_skb_list net/core/dev.c:6035 [inline]\n netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126\n netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178\n xdp_recv_frames net/bpf/test_run.c:280 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316\n bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813\n __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]\n __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900\n ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4121 [inline]\n slab_alloc_node mm/slub.c:4164 [inline]\n kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171\n insert_tree net/netfilter/nf_conncount.c:372 [inline]\n count_tree net/netfilter/nf_conncount.c:450 [inline]\n nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ip\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21959"
},
{
"cve": "CVE-2025-21999",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between rmmod and /proc/XXX\u0027s inode instantiation.\n\nThe bug is that pde-\u003eproc_ops don\u0027t belong to /proc, it belongs to a\nmodule, therefore dereferencing it after /proc entry has been registered\nis a bug unless use_pde/unuse_pde() pair has been used.\n\nuse_pde/unuse_pde can be avoided (2 atomic ops!) because pde-\u003eproc_ops\nnever changes so information necessary for inode instantiation can be\nsaved _before_ proc_register() in PDE itself and used later, avoiding\npde-\u003eproc_ops-\u003e... dereference.\n\n rmmod lookup\nsys_delete_module\n proc_lookup_de\n\t\t\t pde_get(de);\n\t\t\t proc_get_inode(dir-\u003ei_sb, de);\n mod-\u003eexit()\n proc_remove\n remove_proc_subtree\n proc_entry_rundown(de);\n free_module(mod);\n\n if (S_ISREG(inode-\u003ei_mode))\n\t if (de-\u003eproc_ops-\u003eproc_read_iter)\n --\u003e As module is already freed, will trigger UAF\n\nBUG: unable to handle page fault for address: fffffbfff80a702b\nPGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0\nOops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nRIP: 0010:proc_get_inode+0x302/0x6e0\nRSP: 0018:ffff88811c837998 EFLAGS: 00010a06\nRAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007\nRDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158\nRBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20\nR10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0\nR13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001\nFS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_lookup_de+0x11f/0x2e0\n __lookup_slow+0x188/0x350\n walk_component+0x2ab/0x4f0\n path_lookupat+0x120/0x660\n filename_lookup+0x1ce/0x560\n vfs_statx+0xac/0x150\n __do_sys_newstat+0x96/0x110\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n[adobriyan@gmail.com: don\u0027t do 2 atomic ops on the common path]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-21999"
},
{
"cve": "CVE-2025-22005",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().\n\nfib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything\nwhen it fails.\n\nCommit 7dd73168e273 (\"ipv6: Always allocate pcpu memory in a fib6_nh\")\nmoved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init()\nbut forgot to add cleanup for fib6_nh-\u003enh_common.nhc_pcpu_rth_output in\ncase it fails to allocate fib6_nh-\u003ert6i_pcpu, resulting in memleak.\n\nLet\u0027s call fib_nh_common_release() and clear nhc_pcpu_rth_output in the\nerror path.\n\nNote that we can remove the fib6_nh_release() call in nh_create_ipv6()\nlater in net-next.git.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22005"
},
{
"cve": "CVE-2025-22015",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate: fix shmem xarray update during migration\n\nA shmem folio can be either in page cache or in swap cache, but not at the\nsame time. Namely, once it is in swap cache, folio-\u003emapping should be\nNULL, and the folio is no longer in a shmem mapping.\n\nIn __folio_migrate_mapping(), to determine the number of xarray entries to\nupdate, folio_test_swapbacked() is used, but that conflates shmem in page\ncache case and shmem in swap cache case. It leads to xarray multi-index\nentry corruption, since it turns a sibling entry to a normal entry during\nxas_store() (see [1] for a userspace reproduction). Fix it by only using\nfolio_test_swapcache() to determine whether xarray is storing swap cache\nentries or not to choose the right number of xarray entries to update.\n\n[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/\n\nNote:\nIn __split_huge_page(), folio_test_anon() \u0026\u0026 folio_test_swapcache() is\nused to get swap_cache address space, but that ignores the shmem folio in\nswap cache case. It could lead to NULL pointer dereferencing when a\nin-swap-cache shmem folio is split at __xa_store(), since\n!folio_test_anon() is true and folio-\u003emapping is NULL. But fortunately,\nits caller split_huge_page_to_list_to_order() bails out early with EBUSY\nwhen folio-\u003emapping is NULL. So no need to take care of it here.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22015"
},
{
"cve": "CVE-2025-22055",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix geneve_opt length integer overflow\n\nstruct geneve_opt uses 5 bit length for each single option, which\nmeans every vary size option should be smaller than 128 bytes.\n\nHowever, all current related Netlink policies cannot promise this\nlength condition and the attacker can exploit a exact 128-byte size\noption to *fake* a zero length option and confuse the parsing logic,\nfurther achieve heap out-of-bounds read.\n\nOne example crash log is like below:\n\n[ 3.905425] ==================================================================\n[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0\n[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177\n[ 3.906646]\n[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1\n[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 3.907784] Call Trace:\n[ 3.907925] \u003cTASK\u003e\n[ 3.908048] dump_stack_lvl+0x44/0x5c\n[ 3.908258] print_report+0x184/0x4be\n[ 3.909151] kasan_report+0xc5/0x100\n[ 3.909539] kasan_check_range+0xf3/0x1a0\n[ 3.909794] memcpy+0x1f/0x60\n[ 3.909968] nla_put+0xa9/0xe0\n[ 3.910147] tunnel_key_dump+0x945/0xba0\n[ 3.911536] tcf_action_dump_1+0x1c1/0x340\n[ 3.912436] tcf_action_dump+0x101/0x180\n[ 3.912689] tcf_exts_dump+0x164/0x1e0\n[ 3.912905] fw_dump+0x18b/0x2d0\n[ 3.913483] tcf_fill_node+0x2ee/0x460\n[ 3.914778] tfilter_notify+0xf4/0x180\n[ 3.915208] tc_new_tfilter+0xd51/0x10d0\n[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560\n[ 3.919118] netlink_rcv_skb+0xcd/0x200\n[ 3.919787] netlink_unicast+0x395/0x530\n[ 3.921032] netlink_sendmsg+0x3d0/0x6d0\n[ 3.921987] __sock_sendmsg+0x99/0xa0\n[ 3.922220] __sys_sendto+0x1b7/0x240\n[ 3.922682] __x64_sys_sendto+0x72/0x90\n[ 3.922906] do_syscall_64+0x5e/0x90\n[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 3.924122] RIP: 0033:0x7e83eab84407\n[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\n[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407\n[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003\n[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c\n[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0\n[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8\n\nFix these issues by enforing correct length condition in related\npolicies.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22055"
},
{
"cve": "CVE-2025-22056",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_tunnel: fix geneve_opt type confusion addition\n\nWhen handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the\nparsing logic should place every geneve_opt structure one by one\ncompactly. Hence, when deciding the next geneve_opt position, the\npointer addition should be in units of char *.\n\nHowever, the current implementation erroneously does type conversion\nbefore the addition, which will lead to heap out-of-bounds write.\n\n[ 6.989857] ==================================================================\n[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70\n[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178\n[ 6.991162]\n[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1\n[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 6.992281] Call Trace:\n[ 6.992423] \u003cTASK\u003e\n[ 6.992586] dump_stack_lvl+0x44/0x5c\n[ 6.992801] print_report+0x184/0x4be\n[ 6.993790] kasan_report+0xc5/0x100\n[ 6.994252] kasan_check_range+0xf3/0x1a0\n[ 6.994486] memcpy+0x38/0x60\n[ 6.994692] nft_tunnel_obj_init+0x977/0xa70\n[ 6.995677] nft_obj_init+0x10c/0x1b0\n[ 6.995891] nf_tables_newobj+0x585/0x950\n[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020\n[ 6.998997] nfnetlink_rcv+0x1df/0x220\n[ 6.999537] netlink_unicast+0x395/0x530\n[ 7.000771] netlink_sendmsg+0x3d0/0x6d0\n[ 7.001462] __sock_sendmsg+0x99/0xa0\n[ 7.001707] ____sys_sendmsg+0x409/0x450\n[ 7.002391] ___sys_sendmsg+0xfd/0x170\n[ 7.003145] __sys_sendmsg+0xea/0x170\n[ 7.004359] do_syscall_64+0x5e/0x90\n[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 7.006127] RIP: 0033:0x7ec756d4e407\n[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407\n[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003\n[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000\n[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8\n\nFix this bug with correct pointer addition and conversion in parse\nand dump code.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22056"
},
{
"cve": "CVE-2025-22060",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: Prevent parser TCAM memory corruption\n\nProtect the parser TCAM/SRAM memory, and the cached (shadow) SRAM\ninformation, from concurrent modifications.\n\nBoth the TCAM and SRAM tables are indirectly accessed by configuring\nan index register that selects the row to read or write to. This means\nthat operations must be atomic in order to, e.g., avoid spreading\nwrites across multiple rows. Since the shadow SRAM array is used to\nfind free rows in the hardware table, it must also be protected in\norder to avoid TOCTOU errors where multiple cores allocate the same\nrow.\n\nThis issue was detected in a situation where `mvpp2_set_rx_mode()` ran\nconcurrently on two CPUs. In this particular case the\nMVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the\nclassifier unit to drop all incoming unicast - indicated by the\n`rx_classifier_drops` counter.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22060"
},
{
"cve": "CVE-2025-22083",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint\n\nIf vhost_scsi_set_endpoint is called multiple times without a\nvhost_scsi_clear_endpoint between them, we can hit multiple bugs\nfound by Haoran Zhang:\n\n1. Use-after-free when no tpgs are found:\n\nThis fixes a use after free that occurs when vhost_scsi_set_endpoint is\ncalled more than once and calls after the first call do not find any\ntpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds\ntpgs to add to the vs_tpg array match=true, so we will do:\n\nvhost_vq_set_backend(vq, vs_tpg);\n...\n\nkfree(vs-\u003evs_tpg);\nvs-\u003evs_tpg = vs_tpg;\n\nIf vhost_scsi_set_endpoint is called again and no tpgs are found\nmatch=false so we skip the vhost_vq_set_backend call leaving the\npointer to the vs_tpg we then free via:\n\nkfree(vs-\u003evs_tpg);\nvs-\u003evs_tpg = vs_tpg;\n\nIf a scsi request is then sent we do:\n\nvhost_scsi_handle_vq -\u003e vhost_scsi_get_req -\u003e vhost_vq_get_backend\n\nwhich sees the vs_tpg we just did a kfree on.\n\n2. Tpg dir removal hang:\n\nThis patch fixes an issue where we cannot remove a LIO/target layer\ntpg (and structs above it like the target) dir due to the refcount\ndropping to -1.\n\nThe problem is that if vhost_scsi_set_endpoint detects a tpg is already\nin the vs-\u003evs_tpg array or if the tpg has been removed so\ntarget_depend_item fails, the undepend goto handler will do\ntarget_undepend_item on all tpgs in the vs_tpg array dropping their\nrefcount to 0. At this time vs_tpg contains both the tpgs we have added\nin the current vhost_scsi_set_endpoint call as well as tpgs we added in\nprevious calls which are also in vs-\u003evs_tpg.\n\nLater, when vhost_scsi_clear_endpoint runs it will do\ntarget_undepend_item on all the tpgs in the vs-\u003evs_tpg which will drop\ntheir refcount to -1. Userspace will then not be able to remove the tpg\nand will hang when it tries to do rmdir on the tpg dir.\n\n3. Tpg leak:\n\nThis fixes a bug where we can leak tpgs and cause them to be\nun-removable because the target name is overwritten when\nvhost_scsi_set_endpoint is called multiple times but with different\ntarget names.\n\nThe bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup\na vhost-scsi device to target/tpg mapping, then calls\nVHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we\nhaven\u0027t seen before (target1 has tpg1 but target2 has tpg2). When this\nhappens we don\u0027t teardown the old target tpg mapping and just overwrite\nthe target name and the vs-\u003evs_tpg array. Later when we do\nvhost_scsi_clear_endpoint, we are passed in either target1 or target2\u0027s\nname and we will only match that target\u0027s tpgs when we loop over the\nvs-\u003evs_tpg. We will then return from the function without doing\ntarget_undepend_item on the tpgs.\n\nBecause of all these bugs, it looks like being able to call\nvhost_scsi_set_endpoint multiple times was never supported. The major\nuser, QEMU, already has checks to prevent this use case. So to fix the\nissues, this patch prevents vhost_scsi_set_endpoint from being called\nif it\u0027s already successfully added tpgs. To add, remove or change the\ntpg config or target name, you must do a vhost_scsi_clear_endpoint\nfirst.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22083"
},
{
"cve": "CVE-2025-22090",
"cwe": {
"id": "CWE-459",
"name": "Incomplete Cleanup"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()\n\nIf track_pfn_copy() fails, we already added the dst VMA to the maple\ntree. As fork() fails, we\u0027ll cleanup the maple tree, and stumble over\nthe dst VMA for which we neither performed any reservation nor copied\nany page tables.\n\nConsequently untrack_pfn() will see VM_PAT and try obtaining the\nPAT information from the page table -- which fails because the page\ntable was not copied.\n\nThe easiest fix would be to simply clear the VM_PAT flag of the dst VMA\nif track_pfn_copy() fails. However, the whole thing is about \"simply\"\nclearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()\nand performed a reservation, but copying the page tables fails, we\u0027ll\nsimply clear the VM_PAT flag, not properly undoing the reservation ...\nwhich is also wrong.\n\nSo let\u0027s fix it properly: set the VM_PAT flag only if the reservation\nsucceeded (leaving it clear initially), and undo the reservation if\nanything goes wrong while copying the page tables: clearing the VM_PAT\nflag after undoing the reservation.\n\nNote that any copied page table entries will get zapped when the VMA will\nget removed later, after copy_page_range() succeeded; as VM_PAT is not set\nthen, we won\u0027t try cleaning VM_PAT up once more and untrack_pfn() will be\nhappy. Note that leaving these page tables in place without a reservation\nis not a problem, as we are aborting fork(); this process will never run.\n\nA reproducer can trigger this usually at the first try:\n\n https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c\n\n WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110\n Modules linked in: ...\n CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:get_pat_info+0xf6/0x110\n ...\n Call Trace:\n \u003cTASK\u003e\n ...\n untrack_pfn+0x52/0x110\n unmap_single_vma+0xa6/0xe0\n unmap_vmas+0x105/0x1f0\n exit_mmap+0xf6/0x460\n __mmput+0x4b/0x120\n copy_process+0x1bf6/0x2aa0\n kernel_clone+0xab/0x440\n __do_sys_clone+0x66/0x90\n do_syscall_64+0x95/0x180\n\nLikely this case was missed in:\n\n d155df53f310 (\"x86/mm/pat: clear VM_PAT if copy_p4d_range failed\")\n\n... and instead of undoing the reservation we simply cleared the VM_PAT flag.\n\nKeep the documentation of these functions in include/linux/pgtable.h,\none place is more than sufficient -- we should clean that up for the other\nfunctions like track_pfn_remap/untrack_pfn separately.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22090"
},
{
"cve": "CVE-2025-22095",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: brcmstb: Fix error path after a call to regulator_bulk_get()\n\nIf the regulator_bulk_get() returns an error and no regulators\nare created, we need to set their number to zero.\n\nIf we don\u0027t do this and the PCIe link up fails, a call to the\nregulator_bulk_free() will result in a kernel panic.\n\nWhile at it, print the error value, as we cannot return an error\nupwards as the kernel will WARN() on an error from add_bus().\n\n[kwilczynski: commit log, use comma in the message to match style with\nother similar messages]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22095"
},
{
"cve": "CVE-2025-22107",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\n\nThere are actually 2 problems:\n- deleting the last element doesn\u0027t require the memmove of elements\n [i + 1, end) over it. Actually, element i+1 is out of bounds.\n- The memmove itself should move size - i - 1 elements, because the last\n element is out of bounds.\n\nThe out-of-bounds element still remains out of bounds after being\naccessed, so the problem is only that we touch it, not that it becomes\nin active use. But I suppose it can lead to issues if the out-of-bounds\nelement is part of an unmapped page.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22107"
},
{
"cve": "CVE-2025-22111",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.\n\nSIOCBRDELIF is passed to dev_ioctl() first and later forwarded to\nbr_ioctl_call(), which causes unnecessary RTNL dance and the splat\nbelow [0] under RTNL pressure.\n\nLet\u0027s say Thread A is trying to detach a device from a bridge and\nThread B is trying to remove the bridge.\n\nIn dev_ioctl(), Thread A bumps the bridge device\u0027s refcnt by\nnetdev_hold() and releases RTNL because the following br_ioctl_call()\nalso re-acquires RTNL.\n\nIn the race window, Thread B could acquire RTNL and try to remove\nthe bridge device. Then, rtnl_unlock() by Thread B will release RTNL\nand wait for netdev_put() by Thread A.\n\nThread A, however, must hold RTNL after the unlock in dev_ifsioc(),\nwhich may take long under RTNL pressure, resulting in the splat by\nThread B.\n\n Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)\n ---------------------- ----------------------\n sock_ioctl sock_ioctl\n `- sock_do_ioctl `- br_ioctl_call\n `- dev_ioctl `- br_ioctl_stub\n |- rtnl_lock |\n |- dev_ifsioc \u0027\n \u0027 |- dev = __dev_get_by_name(...)\n |- netdev_hold(dev, ...) .\n / |- rtnl_unlock ------. |\n | |- br_ioctl_call `---\u003e |- rtnl_lock\n Race | | `- br_ioctl_stub |- br_del_bridge\n Window | | | |- dev = __dev_get_by_name(...)\n | | | May take long | `- br_dev_delete(dev, ...)\n | | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)\n | | | | `- rtnl_unlock\n \\ | |- rtnl_lock \u003c-\u0027 `- netdev_run_todo\n | |- ... `- netdev_run_todo\n | `- rtnl_unlock |- __rtnl_unlock\n | |- netdev_wait_allrefs_any\n |- netdev_put(dev, ...) \u003c----------------\u0027\n Wait refcnt decrement\n and log splat below\n\nTo avoid blocking SIOCBRDELBR unnecessarily, let\u0027s not call\ndev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.\n\nIn the dev_ioctl() path, we do the following:\n\n 1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()\n 2. Check CAP_NET_ADMIN in dev_ioctl()\n 3. Call dev_load() in dev_ioctl()\n 4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()\n\n3. can be done by request_module() in br_ioctl_call(), so we move\n1., 2., and 4. to br_ioctl_stub().\n\nNote that 2. is also checked later in add_del_if(), but it\u0027s better\nperformed before RTNL.\n\nSIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since\nthe pre-git era, and there seems to be no specific reason to process\nthem there.\n\n[0]:\nunregister_netdevice: waiting for wpan3 to become free. Usage count = 2\nref_tracker: wpan3@ffff8880662d8608 has 1/1 users at\n __netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]\n netdev_hold include/linux/netdevice.h:4311 [inline]\n dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624\n dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826\n sock_do_ioctl+0x1ca/0x260 net/socket.c:1213\n sock_ioctl+0x23a/0x6c0 net/socket.c:1318\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22111"
},
{
"cve": "CVE-2025-22121",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere\u0027s issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn\u0027t check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-22121"
},
{
"cve": "CVE-2025-23136",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: int340x: Add NULL check for adev\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL.\nThis is similar to the commit cd2fd6eab480\n(\"platform/x86: int3472: Check for adev == NULL\").\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in int3402_thermal_probe().\n\nNote, under the same directory, int3400_thermal_probe() has such a\ncheck.\n\n[ rjw: Subject edit, added Fixes: ]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-23136"
},
{
"cve": "CVE-2025-23143",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\n\nWhen I ran the repro [0] and waited a few seconds, I observed two\nLOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]\n\nReproduction Steps:\n\n 1) Mount CIFS\n 2) Add an iptables rule to drop incoming FIN packets for CIFS\n 3) Unmount CIFS\n 4) Unload the CIFS module\n 5) Remove the iptables rule\n\nAt step 3), the CIFS module calls sock_release() for the underlying\nTCP socket, and it returns quickly. However, the socket remains in\nFIN_WAIT_1 because incoming FIN packets are dropped.\n\nAt this point, the module\u0027s refcnt is 0 while the socket is still\nalive, so the following rmmod command succeeds.\n\n # ss -tan\n State Recv-Q Send-Q Local Address:Port Peer Address:Port\n FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445\n\n # lsmod | grep cifs\n cifs 1159168 0\n\nThis highlights a discrepancy between the lifetime of the CIFS module\nand the underlying TCP socket. Even after CIFS calls sock_release()\nand it returns, the TCP socket does not die immediately in order to\nclose the connection gracefully.\n\nWhile this is generally fine, it causes an issue with LOCKDEP because\nCIFS assigns a different lock class to the TCP socket\u0027s sk-\u003esk_lock\nusing sock_lock_init_class_and_name().\n\nOnce an incoming packet is processed for the socket or a timer fires,\nsk-\u003esk_lock is acquired.\n\nThen, LOCKDEP checks the lock context in check_wait_context(), where\nhlock_class() is called to retrieve the lock class. However, since\nthe module has already been unloaded, hlock_class() logs a warning\nand returns NULL, triggering the null-ptr-deref.\n\nIf LOCKDEP is enabled, we must ensure that a module calling\nsock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded\nwhile such a socket is still alive to prevent this issue.\n\nLet\u0027s hold the module reference in sock_lock_init_class_and_name()\nand release it when the socket is freed in sk_prot_free().\n\nNote that sock_lock_init() clears sk-\u003esk_owner for svc_create_socket()\nthat calls sock_lock_init_class_and_name() for a listening socket,\nwhich clones a socket by sk_clone_lock() without GFP_ZERO.\n\n[0]:\nCIFS_SERVER=\"10.0.0.137\"\nCIFS_PATH=\"//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST\"\nDEV=\"enp0s3\"\nCRED=\"/root/WindowsCredential.txt\"\n\nMNT=$(mktemp -d /tmp/XXXXXX)\nmount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1\n\niptables -A INPUT -s ${CIFS_SERVER} -j DROP\n\nfor i in $(seq 10);\ndo\n umount ${MNT}\n rmmod cifs\n sleep 1\ndone\n\nrm -r ${MNT}\n\niptables -D INPUT -s ${CIFS_SERVER} -j DROP\n\n[1]:\nDEBUG_LOCKS_WARN_ON(1)\nWARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\nModules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)\n...\nCall Trace:\n \u003cIRQ\u003e\n __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)\n lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)\n _raw_spin_lock_nested (kernel/locking/spinlock.c:379)\n tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)\n...\n\nBUG: kernel NULL pointer dereference, address: 00000000000000c4\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0\nOops: Oops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:__lock_acquire (kernel/\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-23143"
},
{
"cve": "CVE-2025-37785",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains \u0027.\u0027 dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least \u0027.\u0027\nand \u0027..\u0027 as directory entries in the first data block. It first loads\nthe \u0027.\u0027 dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of \u0027..\u0027 dir\nentry (in ext4_next_entry). It assumes the \u0027..\u0027 dir entry fits into the\nsame data block.\n\nIf the rec_len of \u0027.\u0027 is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for \u0027.\u0027 dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[ 38.595158]\n[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 38.595304] Call Trace:\n[ 38.595308] \u003cTASK\u003e\n[ 38.595311] dump_stack_lvl+0xa7/0xd0\n[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0\n[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595349] print_report+0xaa/0x250\n[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595368] ? kasan_addr_to_slab+0x9/0x90\n[ 38.595378] kasan_report+0xab/0xe0\n[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595400] __ext4_check_dir_entry+0x67e/0x710\n[ 38.595410] ext4_empty_dir+0x465/0x990\n[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10\n[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10\n[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0\n[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10\n[ 38.595478] ? down_write+0xdb/0x140\n[ 38.595487] ? __pfx_down_write+0x10/0x10\n[ 38.595497] ext4_rmdir+0xee/0x140\n[ 38.595506] vfs_rmdir+0x209/0x670\n[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190\n[ 38.595529] do_rmdir+0x363/0x3c0\n[ 38.595537] ? __pfx_do_rmdir+0x10/0x10\n[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0\n[ 38.595561] __x64_sys_unlinkat+0xf0/0x130\n[ 38.595570] do_syscall_64+0x5b/0x180\n[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37785"
},
{
"cve": "CVE-2025-37909",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan743x: Fix memleak issue when GSO enabled\n\nAlways map the `skb` to the LS descriptor. Previously skb was\nmapped to EXT descriptor when the number of fragments is zero with\nGSO enabled. Mapping the skb to EXT descriptor prevents it from\nbeing freed, leading to a memory leak",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37909"
},
{
"cve": "CVE-2025-37917",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll\n\nUse spin_lock_irqsave and spin_unlock_irqrestore instead of spin_lock\nand spin_unlock in mtk_star_emac driver to avoid spinlock recursion\noccurrence that can happen when enabling the DMA interrupts again in\nrx/tx poll.\n\n```\nBUG: spinlock recursion on CPU#0, swapper/0/0\n lock: 0xffff00000db9cf20, .magic: dead4ead, .owner: swapper/0/0,\n .owner_cpu: 0\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted\n 6.15.0-rc2-next-20250417-00001-gf6a27738686c-dirty #28 PREEMPT\nHardware name: MediaTek MT8365 Open Platform EVK (DT)\nCall trace:\n show_stack+0x18/0x24 (C)\n dump_stack_lvl+0x60/0x80\n dump_stack+0x18/0x24\n spin_dump+0x78/0x88\n do_raw_spin_lock+0x11c/0x120\n _raw_spin_lock+0x20/0x2c\n mtk_star_handle_irq+0xc0/0x22c [mtk_star_emac]\n __handle_irq_event_percpu+0x48/0x140\n handle_irq_event+0x4c/0xb0\n handle_fasteoi_irq+0xa0/0x1bc\n handle_irq_desc+0x34/0x58\n generic_handle_domain_irq+0x1c/0x28\n gic_handle_irq+0x4c/0x120\n do_interrupt_handler+0x50/0x84\n el1_interrupt+0x34/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n regmap_mmio_read32le+0xc/0x20 (P)\n _regmap_bus_reg_read+0x6c/0xac\n _regmap_read+0x60/0xdc\n regmap_read+0x4c/0x80\n mtk_star_rx_poll+0x2f4/0x39c [mtk_star_emac]\n __napi_poll+0x38/0x188\n net_rx_action+0x164/0x2c0\n handle_softirqs+0x100/0x244\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x24/0x64\n do_softirq_own_stack+0x1c/0x40\n __irq_exit_rcu+0xd4/0x10c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x68\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x6c/0x70\n cpuidle_enter_state+0xac/0x320 (P)\n cpuidle_enter+0x38/0x50\n do_idle+0x1e4/0x260\n cpu_startup_entry+0x34/0x3c\n rest_init+0xdc/0xe0\n console_on_rootfs+0x0/0x6c\n __primary_switched+0x88/0x90\n```",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37917"
},
{
"cve": "CVE-2025-37945",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY\n\nDSA has 2 kinds of drivers:\n\n1. Those who call dsa_switch_suspend() and dsa_switch_resume() from\n their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz\n2. Those who don\u0027t: all others. The above methods should be optional.\n\nFor type 1, dsa_switch_suspend() calls dsa_user_suspend() -\u003e phylink_stop(),\nand dsa_switch_resume() calls dsa_user_resume() -\u003e phylink_start().\nThese seem good candidates for setting mac_managed_pm = true because\nthat is essentially its definition [1], but that does not seem to be the\nbiggest problem for now, and is not what this change focuses on.\n\nTalking strictly about the 2nd category of DSA drivers here (which\ndo not have MAC managed PM, meaning that for their attached PHYs,\nmdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full),\nI have noticed that the following warning from mdio_bus_phy_resume() is\ntriggered:\n\n\tWARN_ON(phydev-\u003estate != PHY_HALTED \u0026\u0026 phydev-\u003estate != PHY_READY \u0026\u0026\n\t\tphydev-\u003estate != PHY_UP);\n\nbecause the PHY state machine is running.\n\nIt\u0027s running as a result of a previous dsa_user_open() -\u003e ... -\u003e\nphylink_start() -\u003e phy_start() having been initiated by the user.\n\nThe previous mdio_bus_phy_suspend() was supposed to have called\nphy_stop_machine(), but it didn\u0027t. So this is why the PHY is in state\nPHY_NOLINK by the time mdio_bus_phy_resume() runs.\n\nmdio_bus_phy_suspend() did not call phy_stop_machine() because for\nphylink, the phydev-\u003eadjust_link function pointer is NULL. This seems a\ntechnicality introduced by commit fddd91016d16 (\"phylib: fix PAL state\nmachine restart on resume\"). That commit was written before phylink\nexisted, and was intended to avoid crashing with consumer drivers which\ndon\u0027t use the PHY state machine - phylink always does, when using a PHY.\nBut phylink itself has historically not been developed with\nsuspend/resume in mind, and apparently not tested too much in that\nscenario, allowing this bug to exist unnoticed for so long. Plus, prior\nto the WARN_ON(), it would have likely been invisible.\n\nThis issue is not in fact restricted to type 2 DSA drivers (according to\nthe above ad-hoc classification), but can be extrapolated to any MAC\ndriver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where\nthe issue was reported. Assuming mac_managed_pm is set correctly, a\nquick search indicates the following other drivers might be affected:\n\n$ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm\ndrivers/net/ethernet/atheros/ag71xx.c\ndrivers/net/ethernet/microchip/sparx5/sparx5_main.c\ndrivers/net/ethernet/microchip/lan966x/lan966x_main.c\ndrivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c\ndrivers/net/ethernet/freescale/fs_enet/fs_enet-main.c\ndrivers/net/ethernet/freescale/dpaa/dpaa_eth.c\ndrivers/net/ethernet/freescale/ucc_geth.c\ndrivers/net/ethernet/freescale/enetc/enetc_pf_common.c\ndrivers/net/ethernet/marvell/mvpp2/mvpp2_main.c\ndrivers/net/ethernet/marvell/mvneta.c\ndrivers/net/ethernet/marvell/prestera/prestera_main.c\ndrivers/net/ethernet/mediatek/mtk_eth_soc.c\ndrivers/net/ethernet/altera/altera_tse_main.c\ndrivers/net/ethernet/wangxun/txgbe/txgbe_phy.c\ndrivers/net/ethernet/meta/fbnic/fbnic_phylink.c\ndrivers/net/ethernet/tehuti/tn40_phy.c\ndrivers/net/ethernet/mscc/ocelot_net.c\n\nMake the existing conditions dependent on the PHY device having a\nphydev-\u003ephy_link_change() implementation equal to the default\nphy_link_change() provided by phylib. Otherwise, we implicitly know that\nthe phydev has the phylink-provided phylink_phy_change() callback, and\nwhen phylink is used, the PHY state machine always needs to be stopped/\nstarted on the suspend/resume path. The code is structured as such that\nif phydev-\u003ephy_link_change() is absent, it is a matter of time until the\nkernel will crash - no need to further complicate the test.\n\nThus, for the situation where the PM is not managed b\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37945"
},
{
"cve": "CVE-2025-37959",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Scrub packet on bpf_redirect_peer\n\nWhen bpf_redirect_peer is used to redirect packets to a device in\nanother network namespace, the skb isn\u0027t scrubbed. That can lead skb\ninformation from one namespace to be \"misused\" in another namespace.\n\nAs one example, this is causing Cilium to drop traffic when using\nbpf_redirect_peer to redirect packets that just went through IPsec\ndecryption to a container namespace. The following pwru trace shows (1)\nthe packet path from the host\u0027s XFRM layer to the container\u0027s XFRM\nlayer where it\u0027s dropped and (2) the number of active skb extensions at\neach function.\n\n NETNS MARK IFACE TUPLE FUNC\n 4026533547 d00 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 xfrm_rcv_cb\n .active_extensions = (__u8)2,\n 4026533547 d00 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 xfrm4_rcv_cb\n .active_extensions = (__u8)2,\n 4026533547 d00 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 gro_cells_receive\n .active_extensions = (__u8)2,\n [...]\n 4026533547 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 skb_do_redirect\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 ip_rcv\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 ip_rcv_core\n .active_extensions = (__u8)2,\n [...]\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 udp_queue_rcv_one_skb\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 __xfrm_policy_check\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 __xfrm_decode_session\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 security_xfrm_decode_session\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)\n .active_extensions = (__u8)2,\n\nIn this case, there are no XFRM policies in the container\u0027s network\nnamespace so the drop is unexpected. When we decrypt the IPsec packet,\nthe XFRM state used for decryption is set in the skb extensions. This\ninformation is preserved across the netns switch. When we reach the\nXFRM policy check in the container\u0027s netns, __xfrm_policy_check drops\nthe packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM\npolicy can\u0027t be found that matches the (host-side) XFRM state used for\ndecryption.\n\nThis patch fixes this by scrubbing the packet when using\nbpf_redirect_peer, as is done on typical netns switches via veth\ndevices except skb-\u003emark and skb-\u003etstamp are not zeroed.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37959"
},
{
"cve": "CVE-2025-37964",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Eliminate window where TLB flushes may be inadvertently skipped\n\ntl;dr: There is a window in the mm switching code where the new CR3 is\nset and the CPU should be getting TLB flushes for the new mm. But\nshould_flush_tlb() has a bug and suppresses the flush. Fix it by\nwidening the window where should_flush_tlb() sends an IPI.\n\nLong Version:\n\n=== History ===\n\nThere were a few things leading up to this.\n\nFirst, updating mm_cpumask() was observed to be too expensive, so it was\nmade lazier. But being lazy caused too many unnecessary IPIs to CPUs\ndue to the now-lazy mm_cpumask(). So code was added to cull\nmm_cpumask() periodically[2]. But that culling was a bit too aggressive\nand skipped sending TLB flushes to CPUs that need them. So here we are\nagain.\n\n=== Problem ===\n\nThe too-aggressive code in should_flush_tlb() strikes in this window:\n\n\t// Turn on IPIs for this CPU/mm combination, but only\n\t// if should_flush_tlb() agrees:\n\tcpumask_set_cpu(cpu, mm_cpumask(next));\n\n\tnext_tlb_gen = atomic64_read(\u0026next-\u003econtext.tlb_gen);\n\tchoose_new_asid(next, next_tlb_gen, \u0026new_asid, \u0026need_flush);\n\tload_new_mm_cr3(need_flush);\n\t// ^ After \u0027need_flush\u0027 is set to false, IPIs *MUST*\n\t// be sent to this CPU and not be ignored.\n\n this_cpu_write(cpu_tlbstate.loaded_mm, next);\n\t// ^ Not until this point does should_flush_tlb()\n\t// become true!\n\nshould_flush_tlb() will suppress TLB flushes between load_new_mm_cr3()\nand writing to \u0027loaded_mm\u0027, which is a window where they should not be\nsuppressed. Whoops.\n\n=== Solution ===\n\nThankfully, the fuzzy \"just about to write CR3\" window is already marked\nwith loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in\nshould_flush_tlb() is sufficient to ensure that the CPU is targeted with\nan IPI.\n\nThis will cause more TLB flush IPIs. But the window is relatively small\nand I do not expect this to cause any kind of measurable performance\nimpact.\n\nUpdate the comment where LOADED_MM_SWITCHING is written since it grew\nyet another user.\n\nPeter Z also raised a concern that should_flush_tlb() might not observe\n\u0027loaded_mm\u0027 and \u0027is_lazy\u0027 in the same order that switch_mm_irqs_off()\nwrites them. Add a barrier to ensure that they are observed in the\norder they are written.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37964"
},
{
"cve": "CVE-2025-37972",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: mtk-pmic-keys - fix possible null pointer dereference\n\nIn mtk_pmic_keys_probe, the regs parameter is only set if the button is\nparsed in the device tree. However, on hardware where the button is left\nfloating, that node will most likely be removed not to enable that\ninput. In that case the code will try to dereference a null pointer.\n\nLet\u0027s use the regs struct instead as it is defined for all supported\nplatforms. Note that it is ok setting the key reg even if that latter is\ndisabled as the interrupt won\u0027t be enabled anyway.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37972"
},
{
"cve": "CVE-2025-37980",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix resource leak in blk_register_queue() error path\n\nWhen registering a queue fails after blk_mq_sysfs_register() is\nsuccessful but the function later encounters an error, we need\nto clean up the blk_mq_sysfs resources.\n\nAdd the missing blk_mq_sysfs_unregister() call in the error path\nto properly clean up these resources and prevent a memory leak.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-37980"
},
{
"cve": "CVE-2025-38125",
"cwe": {
"id": "CWE-369",
"name": "Divide By Zero"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring EST\n\nIf the ptp_rate recorded earlier in the driver happens to be 0, this\nbogus value will propagate up to EST configuration, where it will\ntrigger a division by 0.\n\nPrevent this division by 0 by adding the corresponding check and error\ncode.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38125"
},
{
"cve": "CVE-2025-38162",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: prevent overflow in lookup table allocation\n\nWhen calculating the lookup table size, ensure the following\nmultiplication does not overflow:\n\n- desc-\u003efield_len[] maximum value is U8_MAX multiplied by\n NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case.\n- NFT_PIPAPO_BUCKETS(f-\u003ebb) is 2^8, worst case.\n- sizeof(unsigned long), from sizeof(*f-\u003elt), lt in\n struct nft_pipapo_field.\n\nThen, use check_mul_overflow() to multiply by bucket size and then use\ncheck_add_overflow() to the alignment for avx2 (if needed). Finally, add\nlt_size_check_overflow() helper and use it to consolidate this.\n\nWhile at it, replace leftover allocation using the GFP_KERNEL to\nGFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38162"
},
{
"cve": "CVE-2025-38192",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: clear the dst when changing skb protocol\n\nA not-so-careful NAT46 BPF program can crash the kernel\nif it indiscriminately flips ingress packets from v4 to v6:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n ip6_rcv_core (net/ipv6/ip6_input.c:190:20)\n ipv6_rcv (net/ipv6/ip6_input.c:306:8)\n process_backlog (net/core/dev.c:6186:4)\n napi_poll (net/core/dev.c:6906:9)\n net_rx_action (net/core/dev.c:7028:13)\n do_softirq (kernel/softirq.c:462:3)\n netif_rx (net/core/dev.c:5326:3)\n dev_loopback_xmit (net/core/dev.c:4015:2)\n ip_mc_finish_output (net/ipv4/ip_output.c:363:8)\n NF_HOOK (./include/linux/netfilter.h:314:9)\n ip_mc_output (net/ipv4/ip_output.c:400:5)\n dst_output (./include/net/dst.h:459:9)\n ip_local_out (net/ipv4/ip_output.c:130:9)\n ip_send_skb (net/ipv4/ip_output.c:1496:8)\n udp_send_skb (net/ipv4/udp.c:1040:8)\n udp_sendmsg (net/ipv4/udp.c:1328:10)\n\nThe output interface has a 4-\u003e6 program attached at ingress.\nWe try to loop the multicast skb back to the sending socket.\nIngress BPF runs as part of netif_rx(), pushes a valid v6 hdr\nand changes skb-\u003eprotocol to v6. We enter ip6_rcv_core which\ntries to use skb_dst(). But the dst is still an IPv4 one left\nafter IPv4 mcast output.\n\nClear the dst in all BPF helpers which change the protocol.\nTry to preserve metadata dsts, those may carry non-routing\nmetadata.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38192"
},
{
"cve": "CVE-2025-38201",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX\n\nOtherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()\nwhen resizing hashtable because __GFP_NOWARN is unset.\n\nSimilar to:\n\n b541ba7d1f5a (\"netfilter: conntrack: clamp maximum hashtable size to INT_MAX\")",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38201"
},
{
"cve": "CVE-2025-38232",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix race between nfsd registration and exports_proc\n\nAs of now nfsd calls create_proc_exports_entry() at start of init_nfsd\nand cleanup by remove_proc_entry() at last of exit_nfsd.\n\nWhich causes kernel OOPs if there is race between below 2 operations:\n(i) exportfs -r\n(ii) mount -t nfsd none /proc/fs/nfsd\n\nfor 5.4 kernel ARM64:\n\nCPU 1:\nel1_irq+0xbc/0x180\narch_counter_get_cntvct+0x14/0x18\nrunning_clock+0xc/0x18\npreempt_count_add+0x88/0x110\nprep_new_page+0xb0/0x220\nget_page_from_freelist+0x2d8/0x1778\n__alloc_pages_nodemask+0x15c/0xef0\n__vmalloc_node_range+0x28c/0x478\n__vmalloc_node_flags_caller+0x8c/0xb0\nkvmalloc_node+0x88/0xe0\nnfsd_init_net+0x6c/0x108 [nfsd]\nops_init+0x44/0x170\nregister_pernet_operations+0x114/0x270\nregister_pernet_subsys+0x34/0x50\ninit_nfsd+0xa8/0x718 [nfsd]\ndo_one_initcall+0x54/0x2e0\n\nCPU 2 :\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n\nPC is at : exports_net_open+0x50/0x68 [nfsd]\n\nCall trace:\nexports_net_open+0x50/0x68 [nfsd]\nexports_proc_open+0x2c/0x38 [nfsd]\nproc_reg_open+0xb8/0x198\ndo_dentry_open+0x1c4/0x418\nvfs_open+0x38/0x48\npath_openat+0x28c/0xf18\ndo_filp_open+0x70/0xe8\ndo_sys_open+0x154/0x248\n\nSometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().\n\nand same is happening on latest 6.14 kernel as well:\n\n[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty\n...\n[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48\n...\n[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4\n...\n[ 285.469695] Call trace:\n[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P)\n[ 285.470488] seq_read+0xe0/0x11c\n[ 285.470675] proc_reg_read+0x9c/0xf0\n[ 285.470874] vfs_read+0xc4/0x2fc\n[ 285.471057] ksys_read+0x6c/0xf4\n[ 285.471231] __arm64_sys_read+0x1c/0x28\n[ 285.471428] invoke_syscall+0x44/0x100\n[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0\n[ 285.471870] do_el0_svc_compat+0x1c/0x34\n[ 285.472073] el0_svc_compat+0x2c/0x80\n[ 285.472265] el0t_32_sync_handler+0x90/0x140\n[ 285.472473] el0t_32_sync+0x19c/0x1a0\n[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)\n[ 285.473422] ---[ end trace 0000000000000000 ]---\n\nIt reproduced simply with below script:\nwhile [ 1 ]\ndo\n/exportfs -r\ndone \u0026\n\nwhile [ 1 ]\ndo\ninsmod /nfsd.ko\nmount -t nfsd none /proc/fs/nfsd\numount /proc/fs/nfsd\nrmmod nfsd\ndone \u0026\n\nSo exporting interfaces to user space shall be done at last and\ncleanup at first place.\n\nWith change there is no Kernel OOPs.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38232"
},
{
"cve": "CVE-2025-38322",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix crash in icl_update_topdown_event()\n\nThe perf_fuzzer found a hard-lockup crash on a RaptorLake machine:\n\n Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000\n CPU: 23 UID: 0 PID: 0 Comm: swapper/23\n Tainted: [W]=WARN\n Hardware name: Dell Inc. Precision 9660/0VJ762\n RIP: 0010:native_read_pmc+0x7/0x40\n Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...\n RSP: 000:fffb03100273de8 EFLAGS: 00010046\n ....\n Call Trace:\n \u003cTASK\u003e\n icl_update_topdown_event+0x165/0x190\n ? ktime_get+0x38/0xd0\n intel_pmu_read_event+0xf9/0x210\n __perf_event_read+0xf9/0x210\n\nCPUs 16-23 are E-core CPUs that don\u0027t support the perf metrics feature.\nThe icl_update_topdown_event() should not be invoked on these CPUs.\n\nIt\u0027s a regression of commit:\n\n f9bdf1f95339 (\"perf/x86/intel: Avoid disable PMU if !cpuc-\u003eenabled in sample read\")\n\nThe bug introduced by that commit is that the is_topdown_event() function\nis mistakenly used to replace the is_topdown_count() call to check if the\ntopdown functions for the perf metrics feature should be invoked.\n\nFix it.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38322"
},
{
"cve": "CVE-2025-38591",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Reject narrower access to pointer ctx fields\n\nThe following BPF program, simplified from a syzkaller repro, causes a\nkernel warning:\n\n r0 = *(u8 *)(r1 + 169);\n exit;\n\nWith pointer field sk being at offset 168 in __sk_buff. This access is\ndetected as a narrower read in bpf_skb_is_valid_access because it\ndoesn\u0027t match offsetof(struct __sk_buff, sk). It is therefore allowed\nand later proceeds to bpf_convert_ctx_access. Note that for the\n\"is_narrower_load\" case in the convert_ctx_accesses(), the insn-\u003eoff\nis aligned, so the cnt may not be 0 because it matches the\noffsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However,\nthe target_size stays 0 and the verifier errors with a kernel warning:\n\n verifier bug: error during ctx access conversion(1)\n\nThis patch fixes that to return a proper \"invalid bpf_context access\noff=X size=Y\" error on the load instruction.\n\nThe same issue affects multiple other fields in context structures that\nallow narrow access. Some other non-affected fields (for sk_msg,\nsk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for\nconsistency.\n\nNote this syzkaller crash was reported in the \"Closes\" link below, which\nused to be about a different bug, fixed in\ncommit fce7bd8e385a (\"bpf/verifier: Handle BPF_LOAD_ACQ instructions\nin insn_def_regno()\"). Because syzbot somehow confused the two bugs,\nthe new crash and repro didn\u0027t get reported to the mailing list.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38591"
},
{
"cve": "CVE-2025-38614",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don\u0027t\nlimit the depth of the resulting tree for two reasons:\n\n - They don\u0027t look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n the paths is actually considered for the depth check since commit\n 28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38614"
},
{
"cve": "CVE-2025-38681",
"cwe": {
"id": "CWE-366",
"name": "Race Condition within a Thread"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()\n\nMemory hot remove unmaps and tears down various kernel page table regions\nas required. The ptdump code can race with concurrent modifications of\nthe kernel page tables. When leaf entries are modified concurrently, the\ndump code may log stale or inconsistent information for a VA range, but\nthis is otherwise not harmful.\n\nBut when intermediate levels of kernel page table are freed, the dump code\nwill continue to use memory that has been freed and potentially\nreallocated for another purpose. In such cases, the ptdump code may\ndereference bogus addresses, leading to a number of potential problems.\n\nTo avoid the above mentioned race condition, platforms such as arm64,\nriscv and s390 take memory hotplug lock, while dumping kernel page table\nvia the sysfs interface /sys/kernel/debug/kernel_page_tables.\n\nSimilar race condition exists while checking for pages that might have\nbeen marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages\nwhich in turn calls ptdump_check_wx(). Instead of solving this race\ncondition again, let\u0027s just move the memory hotplug lock inside generic\nptdump_check_wx() which will benefit both the scenarios.\n\nDrop get_online_mems() and put_online_mems() combination from all existing\nplatform ptdump code paths.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38681"
},
{
"cve": "CVE-2025-38704",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix possible invalid rdp\u0027s-\u003enocb_cb_kthread pointer access\n\nIn the preparation stage of CPU online, if the corresponding\nthe rdp\u0027s-\u003enocb_cb_kthread does not exist, will be created,\nthere is a situation where the rdp\u0027s rcuop kthreads creation fails,\nand then de-offload this CPU\u0027s rdp, does not assign this CPU\u0027s\nrdp-\u003enocb_cb_kthread pointer, but this rdp\u0027s-\u003enocb_gp_rdp and\nrdp\u0027s-\u003erdp_gp-\u003enocb_gp_kthread is still valid.\n\nThis will cause the subsequent re-offload operation of this offline\nCPU, which will pass the conditional check and the kthread_unpark()\nwill access invalid rdp\u0027s-\u003enocb_cb_kthread pointer.\n\nThis commit therefore use rdp\u0027s-\u003enocb_gp_kthread instead of\nrdp_gp\u0027s-\u003enocb_gp_kthread for safety check.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38704"
},
{
"cve": "CVE-2025-38721",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix refcount leak on table dump\n\nThere is a reference count leak in ctnetlink_dump_table():\n if (res \u003c 0) {\n nf_conntrack_get(\u0026ct-\u003ect_general); // HERE\n cb-\u003eargs[1] = (unsigned long)ct;\n ...\n\nWhile its very unlikely, its possible that ct == last.\nIf this happens, then the refcount of ct was already incremented.\nThis 2nd increment is never undone.\n\nThis prevents the conntrack object from being released, which in turn\nkeeps prevents cnet-\u003ecount from dropping back to 0.\n\nThis will then block the netns dismantle (or conntrack rmmod) as\nnf_conntrack_cleanup_net_list() will wait forever.\n\nThis can be reproduced by running conntrack_resize.sh selftest in a loop.\nIt takes ~20 minutes for me on a preemptible kernel on average before\nI see a runaway kworker spinning in nf_conntrack_cleanup_net_list.\n\nOne fix would to change this to:\n if (res \u003c 0) {\n\t\tif (ct != last)\n\t nf_conntrack_get(\u0026ct-\u003ect_general);\n\nBut this reference counting isn\u0027t needed in the first place.\nWe can just store a cookie value instead.\n\nA followup patch will do the same for ctnetlink_exp_dump_table,\nit looks to me as if this has the same problem and like\nctnetlink_dump_table, we only need a \u0027skip hint\u0027, not the actual\nobject so we can apply the same cookie strategy there as well.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38721"
},
{
"cve": "CVE-2025-38725",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: add phy_mask for ax88772 mdio bus\n\nWithout setting phy_mask for ax88772 mdio bus, current driver may create\nat most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.\nDLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy\ndevice will bind to net phy driver. This is creating issue during system\nsuspend/resume since phy_polling_mode() in phy_state_machine() will\ndirectly deference member of phydev-\u003edrv for non-main phy devices. Then\nNULL pointer dereference issue will occur. Due to only external phy or\ninternal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud\nthe issue.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38725"
},
{
"cve": "CVE-2025-38727",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket\u0027s read memory allocation\nconstraints. Firstly, it has:\n\n rmem \u003c READ_ONCE(sk-\u003esk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket\u0027s receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n rmem + skb-\u003etruesize \u003e READ_ONCE(sk-\u003esk_rcvbuf)\n\nThe checks don\u0027t cover the case when skb-\u003etruesize + sk-\u003esk_rmem_alloc is\nequal to sk-\u003esk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n rcu: INFO: rcu_sched self-detected stall on CPU\n rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n (t=26000 jiffies g=230833 q=259957)\n NMI backtrace for cpu 0\n CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n Call Trace:\n \u003cIRQ\u003e\n dump_stack lib/dump_stack.c:120\n nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n update_process_times kernel/time/timer.c:1953\n tick_sched_handle kernel/time/tick-sched.c:227\n tick_sched_timer kernel/time/tick-sched.c:1399\n __hrtimer_run_queues kernel/time/hrtimer.c:1652\n hrtimer_interrupt kernel/time/hrtimer.c:1717\n __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n \u003c/IRQ\u003e\n\n netlink_attachskb net/netlink/af_netlink.c:1234\n netlink_unicast net/netlink/af_netlink.c:1349\n kauditd_send_queue kernel/audit.c:776\n kauditd_thread kernel/audit.c:897\n kthread kernel/kthread.c:328\n ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org).",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38727"
},
{
"cve": "CVE-2025-38732",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject: don\u0027t leak dst refcount for loopback packets\n\nrecent patches to add a WARN() when replacing skb dst entry found an\nold bug:\n\nWARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]\nWARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]\nWARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234\n[..]\nCall Trace:\n nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325\n nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27\n expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]\n ..\n\nThis is because blamed commit forgot about loopback packets.\nSuch packets already have a dst_entry attached, even at PRE_ROUTING stage.\n\nInstead of checking hook just check if the skb already has a route\nattached to it.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38732"
},
{
"cve": "CVE-2025-38736",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix_devices: Fix PHY address mask in MDIO bus initialization\n\nSyzbot reported shift-out-of-bounds exception on MDIO bus initialization.\n\nThe PHY address should be masked to 5 bits (0-31). Without this\nmask, invalid PHY addresses could be used, potentially causing issues\nwith MDIO bus operations.\n\nFix this by masking the PHY address with 0x1f (31 decimal) to ensure\nit stays within the valid range.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-38736"
},
{
"cve": "CVE-2025-39681",
"cwe": {
"id": "CWE-369",
"name": "Divide By Zero"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\n\nSince\n\n 923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\n\nresctrl_cpu_detect() has been moved from common CPU initialization code to\nthe vendor-specific BSP init helper, while Hygon didn\u0027t put that call in their\ncode.\n\nThis triggers a division by zero fault during early booting stage on our\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\n\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\n\n [ bp: Massage commit message. ]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39681"
},
{
"cve": "CVE-2025-39691",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/buffer: fix use-after-free when call bh_read() helper\n\nThere\u0027s issue as follows:\nBUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110\nRead of size 8 at addr ffffc9000168f7f8 by task swapper/3/0\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb4/0x270\n kasan_report+0xb8/0xf0\n end_buffer_read_sync+0xe3/0x110\n end_bio_bh_io_sync+0x56/0x80\n blk_update_request+0x30a/0x720\n scsi_end_request+0x51/0x2b0\n scsi_io_completion+0xe3/0x480\n ? scsi_device_unbusy+0x11e/0x160\n blk_complete_reqs+0x7b/0x90\n handle_softirqs+0xef/0x370\n irq_exit_rcu+0xa5/0xd0\n sysvec_apic_timer_interrupt+0x6e/0x90\n \u003c/IRQ\u003e\n\n Above issue happens when do ntfs3 filesystem mount, issue may happens\n as follows:\n mount IRQ\nntfs_fill_super\n read_cache_page\n do_read_cache_folio\n filemap_read_folio\n mpage_read_folio\n\t do_mpage_readpage\n\t ntfs_get_block_vbo\n\t bh_read\n\t submit_bh\n\t wait_on_buffer(bh);\n\t blk_complete_reqs\n\t\t\t\t scsi_io_completion\n\t\t\t\t scsi_end_request\n\t\t\t\t blk_update_request\n\t\t\t\t end_bio_bh_io_sync\n\t\t\t\t\t end_buffer_read_sync\n\t\t\t\t\t __end_buffer_read_notouch\n\t\t\t\t\t unlock_buffer\n\n wait_on_buffer(bh);--\u003e return will return to caller\n\n\t\t\t\t\t put_bh\n\t\t\t\t\t --\u003e trigger stack-out-of-bounds\nIn the mpage_read_folio() function, the stack variable \u0027map_bh\u0027 is\npassed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and\nwait_on_buffer() returns to continue processing, the stack variable\nis likely to be reclaimed. Consequently, during the end_buffer_read_sync()\nprocess, calling put_bh() may result in stack overrun.\n\nIf the bh is not allocated on the stack, it belongs to a folio. Freeing\na buffer head which belongs to a folio is done by drop_buffers() which\nwill fail to free buffers which are still locked. So it is safe to call\nput_bh() before __end_buffer_read_notouch().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39691"
},
{
"cve": "CVE-2025-39721",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - flush misc workqueue during device shutdown\n\nRepeated loading and unloading of a device specific QAT driver, for\nexample qat_4xxx, in a tight loop can lead to a crash due to a\nuse-after-free scenario. This occurs when a power management (PM)\ninterrupt triggers just before the device-specific driver (e.g.,\nqat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains\nloaded.\n\nSince the driver uses a shared workqueue (`qat_misc_wq`) across all\ndevices and owned by intel_qat.ko, a deferred routine from the\ndevice-specific driver may still be pending in the queue. If this\nroutine executes after the driver is unloaded, it can dereference freed\nmemory, resulting in a page fault and kernel crash like the following:\n\n BUG: unable to handle page fault for address: ffa000002e50a01c\n #PF: supervisor read access in kernel mode\n RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]\n Call Trace:\n pm_bh_handler+0x1d2/0x250 [intel_qat]\n process_one_work+0x171/0x340\n worker_thread+0x277/0x3a0\n kthread+0xf0/0x120\n ret_from_fork+0x2d/0x50\n\nTo prevent this, flush the misc workqueue during device shutdown to\nensure that all pending work items are completed before the driver is\nunloaded.\n\nNote: This approach may slightly increase shutdown latency if the\nworkqueue contains jobs from other devices, but it ensures correctness\nand stability.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39721"
},
{
"cve": "CVE-2025-39748",
"cwe": {
"id": "CWE-478",
"name": "Missing Default Case in Multiple Condition Expression"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Forget ranges when refining tnum after JSET\n\nSyzbot reported a kernel warning due to a range invariant violation on\nthe following BPF program.\n\n 0: call bpf_get_netns_cookie\n 1: if r0 == 0 goto \u003cexit\u003e\n 2: if r0 \u0026 Oxffffffff goto \u003cexit\u003e\n\nThe issue is on the path where we fall through both jumps.\n\nThat path is unreachable at runtime: after insn 1, we know r0 != 0, but\nwith the sign extension on the jset, we would only fallthrough insn 2\nif r0 == 0. Unfortunately, is_branch_taken() isn\u0027t currently able to\nfigure this out, so the verifier walks all branches. The verifier then\nrefines the register bounds using the second condition and we end\nup with inconsistent bounds on this unreachable path:\n\n 1: if r0 == 0 goto \u003cexit\u003e\n r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff)\n 2: if r0 \u0026 0xffffffff goto \u003cexit\u003e\n r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0)\n r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0)\n\nImproving the range refinement for JSET to cover all cases is tricky. We\nalso don\u0027t expect many users to rely on JSET given LLVM doesn\u0027t generate\nthose instructions. So instead of improving the range refinement for\nJSETs, Eduard suggested we forget the ranges whenever we\u0027re narrowing\ntnums after a JSET. This patch implements that approach.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39748"
},
{
"cve": "CVE-2025-39756",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: \u003e 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n # echo 1073741816 \u003e /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n #include \u003cunistd.h\u003e\n #include \u003csys/resource.h\u003e\n\n int main() {\n struct rlimit rlim = {1073741824, 1073741824};\n setrlimit(RLIMIT_NOFILE, \u0026rlim);\n dup2(2, 1073741880); // Triggers the warning\n return 0;\n }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel\u0027s allocation functions still enforce INT_MAX as a maximum\n size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n inadvertently trigger massive allocations\n3. The resulting allocations (\u003e8GB) are impractical and will always fail\n\nsystemd\u0027s algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical \u003e8GB memory allocation request.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39756"
},
{
"cve": "CVE-2025-39764",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: remove refcounting in expectation dumpers\n\nSame pattern as previous patch: do not keep the expectation object\nalive via refcount, only store a cookie value and then use that\nas the skip hint for dump resumption.\n\nAFAICS this has the same issue as the one resolved in the conntrack\ndumper, when we do\n if (!refcount_inc_not_zero(\u0026exp-\u003euse))\n\nto increment the refcount, there is a chance that exp == last, which\ncauses a double-increment of the refcount and subsequent memory leak.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39764"
},
{
"cve": "CVE-2025-39770",
"cwe": {
"id": "CWE-573",
"name": "Improper Following of Specification by Caller"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM\n\nWhen performing Generic Segmentation Offload (GSO) on an IPv6 packet that\ncontains extension headers, the kernel incorrectly requests checksum offload\nif the egress device only advertises NETIF_F_IPV6_CSUM feature, which has\na strict contract: it supports checksum offload only for plain TCP or UDP\nover IPv6 and explicitly does not support packets with extension headers.\nThe current GSO logic violates this contract by failing to disable the feature\nfor packets with extension headers, such as those used in GREoIPv6 tunnels.\n\nThis violation results in the device being asked to perform an operation\nit cannot support, leading to a `skb_warn_bad_offload` warning and a collapse\nof network throughput. While device TSO/USO is correctly bypassed in favor\nof software GSO for these packets, the GSO stack must be explicitly told not\nto request checksum offload.\n\nMask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4\nin gso_features_check if the IPv6 header contains extension headers to compute\nchecksum in software.\n\nThe exception is a BIG TCP extension, which, as stated in commit\n68e068cabd2c6c53 (\"net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\"):\n\"The feature is only enabled on devices that support BIG TCP TSO.\nThe header is only present for PF_PACKET taps like tcpdump,\nand not transmitted by physical devices.\"\n\nkernel log output (truncated):\nWARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140\n...\nCall Trace:\n \u003cTASK\u003e\n skb_checksum_help+0x12a/0x1f0\n validate_xmit_skb+0x1a3/0x2d0\n validate_xmit_skb_list+0x4f/0x80\n sch_direct_xmit+0x1a2/0x380\n __dev_xmit_skb+0x242/0x670\n __dev_queue_xmit+0x3fc/0x7f0\n ip6_finish_output2+0x25e/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]\n ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]\n dev_hard_start_xmit+0x63/0x1c0\n __dev_queue_xmit+0x6d0/0x7f0\n ip6_finish_output2+0x214/0x5d0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n ip6_finish_output+0x1fc/0x3f0\n ip6_xmit+0x2ca/0x6f0\n inet6_csk_xmit+0xeb/0x150\n __tcp_transmit_skb+0x555/0xa80\n tcp_write_xmit+0x32a/0xe90\n tcp_sendmsg_locked+0x437/0x1110\n tcp_sendmsg+0x2f/0x50\n...\nskb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e\nskb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00\nskb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00\nskb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00\nskb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00\nskb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00\nskb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9\nskb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01\nskb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39770"
},
{
"cve": "CVE-2025-39773",
"cwe": {
"id": "CWE-667",
"name": "Improper Locking"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix soft lockup in br_multicast_query_expired()\n\nWhen set multicast_query_interval to a large value, the local variable\n\u0027time\u0027 in br_multicast_send_query() may overflow. If the time is smaller\nthan jiffies, the timer will expire immediately, and then call mod_timer()\nagain, which creates a loop and may trigger the following soft lockup\nissue.\n\n watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]\n CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)\n Call Trace:\n \u003cIRQ\u003e\n __netdev_alloc_skb+0x2e/0x3a0\n br_ip6_multicast_alloc_query+0x212/0x1b70\n __br_multicast_send_query+0x376/0xac0\n br_multicast_send_query+0x299/0x510\n br_multicast_query_expired.constprop.0+0x16d/0x1b0\n call_timer_fn+0x3b/0x2a0\n __run_timers+0x619/0x950\n run_timer_softirq+0x11c/0x220\n handle_softirqs+0x18e/0x560\n __irq_exit_rcu+0x158/0x1a0\n sysvec_apic_timer_interrupt+0x76/0x90\n \u003c/IRQ\u003e\n\nThis issue can be reproduced with:\n ip link add br0 type bridge\n echo 1 \u003e /sys/class/net/br0/bridge/multicast_querier\n echo 0xffffffffffffffff \u003e\n \t/sys/class/net/br0/bridge/multicast_query_interval\n ip link set dev br0 up\n\nThe multicast_startup_query_interval can also cause this issue. Similar to\nthe commit 99b40610956a (\"net: bridge: mcast: add and enforce query\ninterval minimum\"), add check for the query interval maximum to fix this\nissue.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39773"
},
{
"cve": "CVE-2025-39782",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: prevent softlockup in jbd2_log_do_checkpoint()\n\nBoth jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()\nperiodically release j_list_lock after processing a batch of buffers to\navoid long hold times on the j_list_lock. However, since both functions\ncontend for j_list_lock, the combined time spent waiting and processing\ncan be significant.\n\njbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when\nneed_resched() is true to avoid softlockups during prolonged operations.\nBut jbd2_log_do_checkpoint() only exits its loop when need_resched() is\ntrue, relying on potentially sleeping functions like __flush_batch() or\nwait_on_buffer() to trigger rescheduling. If those functions do not sleep,\nthe kernel may hit a softlockup.\n\nwatchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]\nCPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10\nHardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017\nWorkqueue: writeback wb_workfn (flush-7:2)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : native_queued_spin_lock_slowpath+0x358/0x418\nlr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\nCall trace:\n native_queued_spin_lock_slowpath+0x358/0x418\n jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]\n __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]\n add_transaction_credits+0x3bc/0x418 [jbd2]\n start_this_handle+0xf8/0x560 [jbd2]\n jbd2__journal_start+0x118/0x228 [jbd2]\n __ext4_journal_start_sb+0x110/0x188 [ext4]\n ext4_do_writepages+0x3dc/0x740 [ext4]\n ext4_writepages+0xa4/0x190 [ext4]\n do_writepages+0x94/0x228\n __writeback_single_inode+0x48/0x318\n writeback_sb_inodes+0x204/0x590\n __writeback_inodes_wb+0x54/0xf8\n wb_writeback+0x2cc/0x3d8\n wb_do_writeback+0x2e0/0x2f8\n wb_workfn+0x80/0x2a8\n process_one_work+0x178/0x3e8\n worker_thread+0x234/0x3b8\n kthread+0xf0/0x108\n ret_from_fork+0x10/0x20\n\nSo explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid\nsoftlockup.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39782"
},
{
"cve": "CVE-2025-39795",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid possible overflow for chunk_sectors check in blk_stack_limits()\n\nIn blk_stack_limits(), we check that the t-\u003echunk_sectors value is a\nmultiple of the t-\u003ephysical_block_size value.\n\nHowever, by finding the chunk_sectors value in bytes, we may overflow\nthe unsigned int which holds chunk_sectors, so change the check to be\nbased on sectors.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39795"
},
{
"cve": "CVE-2025-39826",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39826"
},
{
"cve": "CVE-2025-39827",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the \u0027count\u0027 field in struct rose_neigh tracks references from\nrose_node structures, while the \u0027use\u0027 field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using \u0027use\u0027 field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39827"
},
{
"cve": "CVE-2025-39845",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()\n\nDefine ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure\npage tables are properly synchronized when calling p*d_populate_kernel().\n\nFor 5-level paging, synchronization is performed via\npgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so\nsynchronization is instead performed at the P4D level via\np4d_populate_kernel().\n\nThis fixes intermittent boot failures on systems using 4-level paging and\na large amount of persistent memory:\n\n BUG: unable to handle page fault for address: ffffe70000000034\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] SMP NOPTI\n RIP: 0010:__init_single_page+0x9/0x6d\n Call Trace:\n \u003cTASK\u003e\n __init_zone_device_page+0x17/0x5d\n memmap_init_zone_device+0x154/0x1bb\n pagemap_range+0x2e0/0x40f\n memremap_pages+0x10b/0x2f0\n devm_memremap_pages+0x1e/0x60\n dev_dax_probe+0xce/0x2ec [device_dax]\n dax_bus_probe+0x6d/0xc9\n [... snip ...]\n \u003c/TASK\u003e\n\nIt also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap\nbefore sync_global_pgds() [1]:\n\n BUG: unable to handle page fault for address: ffffeb3ff1200000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI\n Tainted: [W]=WARN\n RIP: 0010:vmemmap_set_pmd+0xff/0x230\n \u003cTASK\u003e\n vmemmap_populate_hugepages+0x176/0x180\n vmemmap_populate+0x34/0x80\n __populate_section_memmap+0x41/0x90\n sparse_add_section+0x121/0x3e0\n __add_pages+0xba/0x150\n add_pages+0x1d/0x70\n memremap_pages+0x3dc/0x810\n devm_memremap_pages+0x1c/0x60\n xe_devm_add+0x8b/0x100 [xe]\n xe_tile_init_noalloc+0x6a/0x70 [xe]\n xe_device_probe+0x48c/0x740 [xe]\n [... snip ...]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39845"
},
{
"cve": "CVE-2025-39866",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: writeback: fix use-after-free in __mark_inode_dirty()\n\nAn use-after-free issue occurred when __mark_inode_dirty() get the\nbdi_writeback that was in the progress of switching.\n\nCPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1\n......\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __mark_inode_dirty+0x124/0x418\nlr : __mark_inode_dirty+0x118/0x418\nsp : ffffffc08c9dbbc0\n........\nCall trace:\n __mark_inode_dirty+0x124/0x418\n generic_update_time+0x4c/0x60\n file_modified+0xcc/0xd0\n ext4_buffered_write_iter+0x58/0x124\n ext4_file_write_iter+0x54/0x704\n vfs_write+0x1c0/0x308\n ksys_write+0x74/0x10c\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x114\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x40/0xe4\n el0t_64_sync_handler+0x120/0x12c\n el0t_64_sync+0x194/0x198\n\nRoot cause is:\n\nsystemd-random-seed kworker\n----------------------------------------------------------------------\n___mark_inode_dirty inode_switch_wbs_work_fn\n\n spin_lock(\u0026inode-\u003ei_lock);\n inode_attach_wb\n locked_inode_to_wb_and_lock_list\n get inode-\u003ei_wb\n spin_unlock(\u0026inode-\u003ei_lock);\n spin_lock(\u0026wb-\u003elist_lock)\n spin_lock(\u0026inode-\u003ei_lock)\n inode_io_list_move_locked\n spin_unlock(\u0026wb-\u003elist_lock)\n spin_unlock(\u0026inode-\u003ei_lock)\n spin_lock(\u0026old_wb-\u003elist_lock)\n inode_do_switch_wbs\n spin_lock(\u0026inode-\u003ei_lock)\n inode-\u003ei_wb = new_wb\n spin_unlock(\u0026inode-\u003ei_lock)\n spin_unlock(\u0026old_wb-\u003elist_lock)\n wb_put_many(old_wb, nr_switched)\n cgwb_release\n old wb released\n wb_wakeup_delayed() accesses wb,\n then trigger the use-after-free\n issue\n\nFix this race condition by holding inode spinlock until\nwb_wakeup_delayed() finished.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39866"
},
{
"cve": "CVE-2025-39871",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Remove improper idxd_free\n\nThe call to idxd_free() introduces a duplicate put_device() leading to a\nreference count underflow:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n...\nCall Trace:\n \u003cTASK\u003e\n idxd_remove+0xe4/0x120 [idxd]\n pci_device_remove+0x3f/0xb0\n device_release_driver_internal+0x197/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x74/0xf0\n pci_unregister_driver+0x2e/0xb0\n idxd_exit_module+0x34/0x7a0 [idxd]\n __do_sys_delete_module.constprop.0+0x183/0x280\n do_syscall_64+0x54/0xd70\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe idxd_unregister_devices() which is invoked at the very beginning of\nidxd_remove(), already takes care of the necessary put_device() through the\nfollowing call path:\nidxd_unregister_devices() -\u003e device_unregister() -\u003e put_device()\n\nIn addition, when CONFIG_DEBUG_KOBJECT_RELEASE is enabled, put_device() may\ntrigger asynchronous cleanup via schedule_delayed_work(). If idxd_free() is\ncalled immediately after, it can result in a use-after-free.\n\nRemove the improper idxd_free() to avoid both the refcount underflow and\npotential memory corruption during module unload.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39871"
},
{
"cve": "CVE-2025-39931",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Set merge to zero early in af_alg_sendmsg\n\nIf an error causes af_alg_sendmsg to abort, ctx-\u003emerge may contain\na garbage value from the previous loop. This may then trigger a\ncrash on the next entry into af_alg_sendmsg when it attempts to do\na merge that can\u0027t be done.\n\nFix this by setting ctx-\u003emerge to zero near the start of the loop.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39931"
},
{
"cve": "CVE-2025-39953",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq \u2013 Handles CSS offline operations\ncgroup_release_wq \u2013 Manages resource release\ncgroup_free_wq \u2013 Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39953"
},
{
"cve": "CVE-2025-39955",
"cwe": {
"id": "CWE-213",
"name": "Exposure of Sensitive Information Due to Incompatible Policies"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n\nsyzbot reported the splat below where a socket had tcp_sk(sk)-\u003efastopen_rsk\nin the TCP_ESTABLISHED state. [0]\n\nsyzbot reused the server-side TCP Fast Open socket as a new client before\nthe TFO socket completes 3WHS:\n\n 1. accept()\n 2. connect(AF_UNSPEC)\n 3. connect() to another destination\n\nAs of accept(), sk-\u003esk_state is TCP_SYN_RECV, and tcp_disconnect() changes\nit to TCP_CLOSE and makes connect() possible, which restarts timers.\n\nSince tcp_disconnect() forgot to clear tcp_sk(sk)-\u003efastopen_rsk, the\nretransmit timer triggered the warning and the intended packet was not\nretransmitted.\n\nLet\u0027s call reqsk_fastopen_remove() in tcp_disconnect().\n\n[0]:\nWARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nModules linked in:\nCPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))\nCode: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 \u003c0f\u003e 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e\nRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293\nRAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017\nRDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400\nRBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8\nR10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540\nR13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0\nFS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0\nCall Trace:\n \u003cIRQ\u003e\n tcp_write_timer (net/ipv4/tcp_timer.c:738)\n call_timer_fn (kernel/time/timer.c:1747)\n __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372)\n timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135)\n tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035)\n __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1))\n tmigr_handle_remote (kernel/time/timer_migration.c:1096)\n handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580)\n irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))\n \u003c/IRQ\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39955"
},
{
"cve": "CVE-2025-39964",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Disallow concurrent writes in af_alg_sendmsg\n\nIssuing two writes to the same af_alg socket is bogus as the\ndata will be interleaved in an unpredictable fashion. Furthermore,\nconcurrent writes may create inconsistencies in the internal\nsocket state.\n\nDisallow this by adding a new ctx-\u003ewrite field that indiciates\nexclusive ownership for writing.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39964"
},
{
"cve": "CVE-2025-39977",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent use-after-free during requeue-PI\n\nsyzbot managed to trigger the following race:\n\n T1 T2\n\n futex_wait_requeue_pi()\n futex_do_wait()\n schedule()\n futex_requeue()\n futex_proxy_trylock_atomic()\n futex_requeue_pi_prepare()\n requeue_pi_wake_futex()\n futex_requeue_pi_complete()\n /* preempt */\n\n * timeout/ signal wakes T1 *\n\n futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED\n futex_hash_put()\n // back to userland, on stack futex_q is garbage\n\n /* back */\n wake_up_state(q-\u003etask, TASK_NORMAL);\n\nIn this scenario futex_wait_requeue_pi() is able to leave without using\nfutex_q::lock_ptr for synchronization.\n\nThis can be prevented by reading futex_q::task before updating the\nfutex_q::requeue_state. A reference on the task_struct is not needed\nbecause requeue_pi_wake_futex() is invoked with a spinlock_t held which\nimplies a RCU read section.\n\nEven if T1 terminates immediately after, the task_struct will remain valid\nduring T2\u0027s wake_up_state(). A READ_ONCE on futex_q::task before\nfutex_requeue_pi_complete() is enough because it ensures that the variable\nis read before the state is updated.\n\nRead futex_q::task before updating the requeue state, use it for the\nfollowing wakeup.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39977"
},
{
"cve": "CVE-2025-39978",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential use after free in otx2_tc_add_flow()\n\nThis code calls kfree_rcu(new_node, rcu) and then dereferences \"new_node\"\nand then dereferences it on the next line. Two lines later, we take\na mutex so I don\u0027t think this is an RCU safe region. Re-order it to do\nthe dereferences before queuing up the free.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39978"
},
{
"cve": "CVE-2025-39980",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is in a group\n\nThe kernel forbids the creation of non-FDB nexthop groups with FDB\nnexthops:\n\n # ip nexthop add id 1 via 192.0.2.1 fdb\n # ip nexthop add id 2 group 1\n Error: Non FDB nexthop group cannot have fdb nexthops.\n\nAnd vice versa:\n\n # ip nexthop add id 3 via 192.0.2.2 dev dummy1\n # ip nexthop add id 4 group 3 fdb\n Error: FDB nexthop group can only have fdb nexthops.\n\nHowever, as long as no routes are pointing to a non-FDB nexthop group,\nthe kernel allows changing the type of a nexthop from FDB to non-FDB and\nvice versa:\n\n # ip nexthop add id 5 via 192.0.2.2 dev dummy1\n # ip nexthop add id 6 group 5\n # ip nexthop replace id 5 via 192.0.2.2 fdb\n # echo $?\n 0\n\nThis configuration is invalid and can result in a NPD [1] since FDB\nnexthops are not associated with a nexthop device:\n\n # ip route add 198.51.100.1/32 nhid 6\n # ping 198.51.100.1\n\nFix by preventing nexthop FDB status change while the nexthop is in a\ngroup:\n\n # ip nexthop add id 7 via 192.0.2.2 dev dummy1\n # ip nexthop add id 8 group 7\n # ip nexthop replace id 7 via 192.0.2.2 fdb\n Error: Cannot change nexthop FDB status while in a group.\n\n[1]\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\n[...]\nOops: Oops: 0000 [#1] SMP\nCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014\nRIP: 0010:fib_lookup_good_nhc+0x1e/0x80\n[...]\nCall Trace:\n \u003cTASK\u003e\n fib_table_lookup+0x541/0x650\n ip_route_output_key_hash_rcu+0x2ea/0x970\n ip_route_output_key_hash+0x55/0x80\n __ip4_datagram_connect+0x250/0x330\n udp_connect+0x2b/0x60\n __sys_connect+0x9c/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0xa4/0x2a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-39980"
},
{
"cve": "CVE-2025-40022",
"cwe": {
"id": "CWE-704",
"name": "Incorrect Type Conversion or Cast"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Fix incorrect boolean values in af_alg_ctx\n\nCommit 1b34cbbf4f01 (\"crypto: af_alg - Disallow concurrent writes in\naf_alg_sendmsg\") changed some fields from bool to 1-bit bitfields of\ntype u32.\n\nHowever, some assignments to these fields, specifically \u0027more\u0027 and\n\u0027merge\u0027, assign values greater than 1. These relied on C\u0027s implicit\nconversion to bool, such that zero becomes false and nonzero becomes\ntrue.\n\nWith a 1-bit bitfields of type u32 instead, mod 2 of the value is taken\ninstead, resulting in 0 being assigned in some cases when 1 was intended.\n\nFix this by restoring the bool type.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40022"
},
{
"cve": "CVE-2025-40070",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n \u003cTASK\u003e\n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps-\u003edev, which will\ninit dev-\u003erelease to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, \u0027kfree_pps\u0027 should be removed\nin pps_register_source() to avoid a double free in the failure case.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40070"
},
{
"cve": "CVE-2025-40078",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Explicitly check accesses to bpf_sock_addr\n\nSyzkaller found a kernel warning on the following sock_addr program:\n\n 0: r0 = 0\n 1: r2 = *(u32 *)(r1 +60)\n 2: exit\n\nwhich triggers:\n\n verifier bug: error during ctx access conversion (0)\n\nThis is happening because offset 60 in bpf_sock_addr corresponds to an\nimplicit padding of 4 bytes, right after msg_src_ip4. Access to this\npadding isn\u0027t rejected in sock_addr_is_valid_access and it thus later\nfails to convert the access.\n\nThis patch fixes it by explicitly checking the various fields of\nbpf_sock_addr in sock_addr_is_valid_access.\n\nI checked the other ctx structures and is_valid_access functions and\ndidn\u0027t find any other similar cases. Other cases of (properly handled)\npadding are covered in new tests in a subsequent patch.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40078"
},
{
"cve": "CVE-2025-40080",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: restrict sockets to TCP and UDP\n\nRecently, syzbot started to abuse NBD with all kinds of sockets.\n\nCommit cf1b2326b734 (\"nbd: verify socket is supported during setup\")\nmade sure the socket supported a shutdown() method.\n\nExplicitely accept TCP and UNIX stream sockets.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40080"
},
{
"cve": "CVE-2025-40105",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don\u0027t leak disconnected dentries on umount\n\nWhen user calls open_by_handle_at() on some inode that is not cached, we\nwill create disconnected dentry for it. If such dentry is a directory,\nexportfs_decode_fh_raw() will then try to connect this dentry to the\ndentry tree through reconnect_path(). It may happen for various reasons\n(such as corrupted fs or race with rename) that the call to\nlookup_one_unlocked() in reconnect_one() will fail to find the dentry we\nare trying to reconnect and instead create a new dentry under the\nparent. Now this dentry will not be marked as disconnected although the\nparent still may well be disconnected (at least in case this\ninconsistency happened because the fs is corrupted and .. doesn\u0027t point\nto the real parent directory). This creates inconsistency in\ndisconnected flags but AFAICS it was mostly harmless. At least until\ncommit f1ee616214cb (\"VFS: don\u0027t keep disconnected dentries on d_anon\")\nwhich removed adding of most disconnected dentries to sb-\u003es_anon list.\nThus after this commit cleanup of disconnected dentries implicitely\nrelies on the fact that dput() will immediately reclaim such dentries.\nHowever when some leaf dentry isn\u0027t marked as disconnected, as in the\nscenario described above, the reclaim doesn\u0027t happen and the dentries\nare \"leaked\". Memory reclaim can eventually reclaim them but otherwise\nthey stay in memory and if umount comes first, we hit infamous \"Busy\ninodes after unmount\" bug. Make sure all dentries created under a\ndisconnected parent are marked as disconnected as well.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40105"
},
{
"cve": "CVE-2025-40135",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_xmit()\n\nUse RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent\npossible UAF.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40135"
},
{
"cve": "CVE-2025-40149",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only -\u003endo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40149"
},
{
"cve": "CVE-2025-40219",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/IOV: Fix race between SR-IOV enable/disable and hotplug\n\nCommit 05703271c3cd (\"PCI/IOV: Add PCI rescan-remove locking when\nenabling/disabling SR-IOV\") tried to fix a race between the VF removal\ninside sriov_del_vfs() and concurrent hot unplug by taking the PCI\nrescan/remove lock in sriov_del_vfs(). Similarly the PCI rescan/remove lock\nwas also taken in sriov_add_vfs() to protect addition of VFs.\n\nThis approach however causes deadlock on trying to remove PFs with SR-IOV\nenabled because PFs disable SR-IOV during removal and this removal happens\nunder the PCI rescan/remove lock. So the original fix had to be reverted.\n\nInstead of taking the PCI rescan/remove lock in sriov_add_vfs() and\nsriov_del_vfs(), fix the race that occurs with SR-IOV enable and disable vs\nhotplug higher up in the callchain by taking the lock in\nsriov_numvfs_store() before calling into the driver\u0027s sriov_configure()\ncallback.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40219"
},
{
"cve": "CVE-2025-40261",
"cwe": {
"id": "CWE-1341",
"name": "Multiple Releases of Same Resource or Handle"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: nvme-fc: Ensure -\u003eioerr_work is cancelled in nvme_fc_delete_ctrl()\n\nnvme_fc_delete_assocation() waits for pending I/O to complete before\nreturning, and an error can cause -\u003eioerr_work to be queued after\ncancel_work_sync() had been called. Move the call to cancel_work_sync() to\nbe after nvme_fc_delete_association() to ensure -\u003eioerr_work is not running\nwhen the nvme_fc_ctrl object is freed. Otherwise the following can occur:\n\n[ 1135.911754] list_del corruption, ff2d24c8093f31f8-\u003enext is NULL\n[ 1135.917705] ------------[ cut here ]------------\n[ 1135.922336] kernel BUG at lib/list_debug.c:52!\n[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary)\n[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025\n[ 1135.950969] Workqueue: 0x0 (nvme-wq)\n[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff \u003c0f\u003e 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b\n[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046\n[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000\n[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0\n[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08\n[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100\n[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0\n[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000\n[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0\n[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1136.055910] PKRU: 55555554\n[ 1136.058623] Call Trace:\n[ 1136.061074] \u003cTASK\u003e\n[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 1136.071898] ? move_linked_works+0x4a/0xa0\n[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.081744] ? __die_body.cold+0x8/0x12\n[ 1136.085584] ? die+0x2e/0x50\n[ 1136.088469] ? do_trap+0xca/0x110\n[ 1136.091789] ? do_error_trap+0x65/0x80\n[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.101289] ? exc_invalid_op+0x50/0x70\n[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20\n[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f\n[ 1136.120806] move_linked_works+0x4a/0xa0\n[ 1136.124733] worker_thread+0x216/0x3a0\n[ 1136.128485] ? __pfx_worker_thread+0x10/0x10\n[ 1136.132758] kthread+0xfa/0x240\n[ 1136.135904] ? __pfx_kthread+0x10/0x10\n[ 1136.139657] ret_from_fork+0x31/0x50\n[ 1136.143236] ? __pfx_kthread+0x10/0x10\n[ 1136.146988] ret_from_fork_asm+0x1a/0x30\n[ 1136.150915] \u003c/TASK\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40261"
},
{
"cve": "CVE-2025-40300",
"cwe": {
"id": "CWE-402",
"name": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/vmscape: Add conditional IBPB mitigation\n\nVMSCAPE is a vulnerability that exploits insufficient branch predictor\nisolation between a guest and a userspace hypervisor (like QEMU). Existing\nmitigations already protect kernel/KVM from a malicious guest. Userspace\ncan additionally be protected by flushing the branch predictors after a\nVMexit.\n\nSince it is the userspace that consumes the poisoned branch predictors,\nconditionally issue an IBPB after a VMexit and before returning to\nuserspace. Workloads that frequently switch between hypervisor and\nuserspace will incur the most overhead from the new IBPB.\n\nThis new IBPB is not integrated with the existing IBPB sites. For\ninstance, a task can use the existing speculation control prctl() to\nget an IBPB at context switch time. With this implementation, the\nIBPB is doubled up: one at context switch and another before running\nuserspace.\n\nThe intent is to integrate and optimize these cases post-embargo.\n\n[ dhansen: elaborate on suboptimal IBPB solution ]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-40300"
},
{
"cve": "CVE-2025-61984",
"cwe": {
"id": "CWE-159",
"name": "Improper Handling of Invalid Use of Special Elements"
},
"notes": [
{
"category": "description",
"text": "ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-61984"
},
{
"cve": "CVE-2025-61985",
"cwe": {
"id": "CWE-158",
"name": "Improper Neutralization of Null Byte or NUL Character"
},
"notes": [
{
"category": "description",
"text": "ssh in OpenSSH before 10.1 allows the \u0027\\0\u0027 character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-61985"
},
{
"cve": "CVE-2025-68206",
"cwe": {
"id": "CWE-166",
"name": "Improper Handling of Missing Special Element"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n ct helper ftp_helper {\n type \"ftp\" protocol tcp\n l3proto inet\n }\n\n chain prerouting {\n type filter hook prerouting priority 0; policy accept;\n tcp dport 21 ct state new ct helper set \"ftp_helper\"\n }\n}\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority -100; policy accept;\n tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n }\n\n chain postrouting {\n type nat hook postrouting priority 100 ; policy accept;\n tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+ +----------------------------------+\n | FTP: 192.168.13.2 | \u003c-\u003e | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+ +----------------------------------+\n |\n +-----------------------+\n | Client: 192.168.100.2 |\n +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp\u003e epsv\nEPSV/EPRT on IPv4 off.\nftp\u003e ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68206"
},
{
"cve": "CVE-2025-68261",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add i_data_sem protection in ext4_destroy_inline_data_nolock()\n\nFix a race between inline data destruction and block mapping.\n\nThe function ext4_destroy_inline_data_nolock() changes the inode data\nlayout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.\nAt the same time, another thread may execute ext4_map_blocks(), which\ntests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()\nor ext4_ind_map_blocks().\n\nWithout i_data_sem protection, ext4_ind_map_blocks() may receive inode\nwith EXT4_INODE_EXTENTS flag and triggering assert.\n\nkernel BUG at fs/ext4/indirect.c:546!\nEXT4-fs (loop2): unmounting filesystem.\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546\n\nCall Trace:\n \u003cTASK\u003e\n ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681\n _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822\n ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124\n ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255\n ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000\n generic_perform_write+0x259/0x5d0 mm/filemap.c:3846\n ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285\n ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679\n call_write_iter include/linux/fs.h:2271 [inline]\n do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735\n do_iter_write+0x186/0x710 fs/read_write.c:861\n vfs_iter_write+0x70/0xa0 fs/read_write.c:902\n iter_file_splice_write+0x73b/0xc90 fs/splice.c:685\n do_splice_from fs/splice.c:763 [inline]\n direct_splice_actor+0x10f/0x170 fs/splice.c:950\n splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896\n do_splice_direct+0x1a9/0x280 fs/splice.c:1002\n do_sendfile+0xb13/0x12c0 fs/read_write.c:1255\n __do_sys_sendfile64 fs/read_write.c:1323 [inline]\n __se_sys_sendfile64 fs/read_write.c:1309 [inline]\n __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68261"
},
{
"cve": "CVE-2025-68264",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei-\u003ei_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n kernel BUG at fs/ext4/inline.c:1331!\n BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68264"
},
{
"cve": "CVE-2025-68265",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix admin request_queue lifetime\n\nThe namespaces can access the controller\u0027s admin request_queue, and\nstale references on the namespaces may exist after tearing down the\ncontroller. Ensure the admin request_queue is active by moving the\ncontroller\u0027s \u0027put\u0027 to after all controller references have been released\nto ensure no one is can access the request_queue. This fixes a reported\nuse-after-free bug:\n\n BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0\n Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287\n CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x60\n print_report+0xc4/0x620\n ? _raw_spin_lock_irqsave+0x70/0xb0\n ? _raw_read_unlock_irqrestore+0x30/0x30\n ? blk_queue_enter+0x41c/0x4a0\n kasan_report+0xab/0xe0\n ? blk_queue_enter+0x41c/0x4a0\n blk_queue_enter+0x41c/0x4a0\n ? __irq_work_queue_local+0x75/0x1d0\n ? blk_queue_start_drain+0x70/0x70\n ? irq_work_queue+0x18/0x20\n ? vprintk_emit.part.0+0x1cc/0x350\n ? wake_up_klogd_work_func+0x60/0x60\n blk_mq_alloc_request+0x2b7/0x6b0\n ? __blk_mq_alloc_requests+0x1060/0x1060\n ? __switch_to+0x5b7/0x1060\n nvme_submit_user_cmd+0xa9/0x330\n nvme_user_cmd.isra.0+0x240/0x3f0\n ? force_sigsegv+0xe0/0xe0\n ? nvme_user_cmd64+0x400/0x400\n ? vfs_fileattr_set+0x9b0/0x9b0\n ? cgroup_update_frozen_flag+0x24/0x1c0\n ? cgroup_leave_frozen+0x204/0x330\n ? nvme_ioctl+0x7c/0x2c0\n blkdev_ioctl+0x1a8/0x4d0\n ? blkdev_common_ioctl+0x1930/0x1930\n ? fdget+0x54/0x380\n __x64_sys_ioctl+0x129/0x190\n do_syscall_64+0x5b/0x160\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f765f703b0b\n Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b\n RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000\n R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003\n R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60\n \u003c/TASK\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68265"
},
{
"cve": "CVE-2025-68266",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfs: Reconstruct file type when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 32bits \"mode\" field loaded from disk are corrupted\nor when the 32bits \"attributes\" field loaded from disk are corrupted.\n\nA documentation says that BFS uses only lower 9 bits of the \"mode\" field.\nBut I can\u0027t find an explicit explanation that the unused upper 23 bits\n(especially, the S_IFMT bits) are initialized with 0.\n\nTherefore, ignore the S_IFMT bits of the \"mode\" field loaded from disk.\nAlso, verify that the value of the \"attributes\" field loaded from disk is\neither BFS_VREG or BFS_VDIR (because BFS supports only regular files and\nthe root directory).",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68266"
},
{
"cve": "CVE-2025-68291",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().\n\nsyzbot reported divide-by-zero in __tcp_select_window() by\nMPTCP socket. [0]\n\nWe had a similar issue for the bare TCP and fixed in commit\n499350a5a6e7 (\"tcp: initialize rcv_mss to TCP_MIN_MSS instead\nof 0\").\n\nLet\u0027s apply the same fix to mptcp_do_fastclose().\n\n[0]:\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nRIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336\nCode: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 \u003cf7\u003e 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00\nRSP: 0018:ffffc90003017640 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028\nR10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\nFS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n tcp_select_window net/ipv4/tcp_output.c:281 [inline]\n __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568\n tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]\n tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836\n mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793\n mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253\n mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776\n mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xe5/0x270 net/socket.c:742\n __sys_sendto+0x3bd/0x520 net/socket.c:2244\n __do_sys_sendto net/socket.c:2251 [inline]\n __se_sys_sendto net/socket.c:2247 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2247\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f66e998f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006\n \u003c/TASK\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68291"
},
{
"cve": "CVE-2025-68337",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted\n\nThere\u0027s issue when file system corrupted:\n------------[ cut here ]------------\nkernel BUG at fs/jbd2/transaction.c:1289!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next\nRIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0\nRSP: 0018:ffff888117aafa30 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534\nRDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010\nRBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028\nR10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n __ext4_journal_get_create_access+0x42/0x170\n ext4_getblk+0x319/0x6f0\n ext4_bread+0x11/0x100\n ext4_append+0x1e6/0x4a0\n ext4_init_new_dir+0x145/0x1d0\n ext4_mkdir+0x326/0x920\n vfs_mkdir+0x45c/0x740\n do_mkdirat+0x234/0x2f0\n __x64_sys_mkdir+0xd6/0x120\n do_syscall_64+0x5f/0xfa0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue occurs with us in errors=continue mode when accompanied by\nstorage failures. There have been many inconsistencies in the file system\ndata.\nIn the case of file system data inconsistency, for example, if the block\nbitmap of a referenced block is not set, it can lead to the situation where\na block being committed is allocated and used again. As a result, the\nfollowing condition will not be satisfied then trigger BUG_ON. Of course,\nit is entirely possible to construct a problematic image that can trigger\nthis BUG_ON through specific operations. In fact, I have constructed such\nan image and easily reproduced this issue.\nTherefore, J_ASSERT() holds true only under ideal conditions, but it may\nnot necessarily be satisfied in exceptional scenarios. Using J_ASSERT()\ndirectly in abnormal situations would cause the system to crash, which is\nclearly not what we want. So here we directly trigger a JBD abort instead\nof immediately invoking BUG_ON.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68337"
},
{
"cve": "CVE-2025-68349",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid\n\nFixes a crash when layout is null during this call stack:\n\nwrite_inode\n -\u003e nfs4_write_inode\n -\u003e pnfs_layoutcommit_inode\n\npnfs_set_layoutcommit relies on the lseg refcount to keep the layout\naround. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt\nto reference a null layout.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68349"
},
{
"cve": "CVE-2025-68363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb-\u003etransport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, \u0026mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb-\u003egso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb-\u003etransport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68363"
},
{
"cve": "CVE-2025-68371",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix device resources accessed after device removal\n\nCorrect possible race conditions during device removal.\n\nPreviously, a scheduled work item to reset a LUN could still execute\nafter the device was removed, leading to use-after-free and other\nresource access issues.\n\nThis race condition occurs because the abort handler may schedule a LUN\nreset concurrently with device removal via sdev_destroy(), leading to\nuse-after-free and improper access to freed resources.\n\n - Check in the device reset handler if the device is still present in\n the controller\u0027s SCSI device list before running; if not, the reset\n is skipped.\n\n - Cancel any pending TMF work that has not started in sdev_destroy().\n\n - Ensure device freeing in sdev_destroy() is done while holding the\n LUN reset mutex to avoid races with ongoing resets.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68371"
},
{
"cve": "CVE-2025-68724",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68724"
},
{
"cve": "CVE-2025-68725",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Do not let BPF test infra emit invalid GSO types to stack\n\nYinhao et al. reported that their fuzzer tool was able to trigger a\nskb_warn_bad_offload() from netif_skb_features() -\u003e gso_features_check().\nWhen a BPF program - triggered via BPF test infra - pushes the packet\nto the loopback device via bpf_clone_redirect() then mentioned offload\nwarning can be seen. GSO-related features are then rightfully disabled.\n\nWe get into this situation due to convert___skb_to_skb() setting\ngso_segs and gso_size but not gso_type. Technically, it makes sense\nthat this warning triggers since the GSO properties are malformed due\nto the gso_type. Potentially, the gso_type could be marked non-trustworthy\nthrough setting it at least to SKB_GSO_DODGY without any other specific\nassumptions, but that also feels wrong given we should not go further\ninto the GSO engine in the first place.\n\nThe checks were added in 121d57af308d (\"gso: validate gso_type in GSO\nhandlers\") because there were malicious (syzbot) senders that combine\na protocol with a non-matching gso_type. If we would want to drop such\npackets, gso_features_check() currently only returns feature flags via\nnetif_skb_features(), so one location for potentially dropping such skbs\ncould be validate_xmit_unreadable_skb(), but then otoh it would be\nan additional check in the fast-path for a very corner case. Given\nbpf_clone_redirect() is the only place where BPF test infra could emit\nsuch packets, lets reject them right there.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68725"
},
{
"cve": "CVE-2025-68742",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog-\u003estats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n update_effective_progs\n compute_effective_progs\n bpf_prog_array_alloc \u003c-- fault inject\n purge_effective_progs\n /* change to dummy_bpf_prog */\n array-\u003eitems[index] = \u0026dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n ...\n __cgroup_bpf_run_filter_skb\n __bpf_prog_run_save_cb\n bpf_prog_run\n stats = this_cpu_ptr(prog-\u003estats)\n /* invalid memory access */\n flags = u64_stats_update_begin_irqsave(\u0026stats-\u003esyncp)\n---softirq end---\n\n static_branch_dec(\u0026cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68742"
},
{
"cve": "CVE-2025-68764",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags\n\nWhen a filesystem is being automounted, it needs to preserve the\nuser-set superblock mount options, such as the \"ro\" flag.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68764"
},
{
"cve": "CVE-2025-68773",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\n\nCommit fc96ec826bce (\"spi: fsl-cpm: Use 16 bit mode for large transfers\nwith even size\") failed to make sure that the size is really even\nbefore switching to 16 bit mode. Until recently the problem went\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\nPAGE_SIZE for reading EEPROM.\n\nBut commit 8ad6249c51d0 (\"eeprom: at25: convert to spi-mem API\")\nintroduced an additional dynamically allocated bounce buffer whose size\nis exactly the size of the transfer, leading to a buffer overrun in\nthe fsl-cpm driver when that size is odd.\n\nAdd the missing length parity verification and remain in 8 bit mode\nwhen the length is not even.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68773"
},
{
"cve": "CVE-2025-68776",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/hsr: fix NULL pointer dereference in prp_get_untagged_frame()\n\nprp_get_untagged_frame() calls __pskb_copy() to create frame-\u003eskb_std\nbut doesn\u0027t check if the allocation failed. If __pskb_copy() returns\nNULL, skb_clone() is called with a NULL pointer, causing a crash:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041\nCode: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 \u003c43\u003e 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c\nRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207\nRAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480\nRDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000\nRBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee\nR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000\nR13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00\nFS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]\n hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741\n hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84\n __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966\n __netif_receive_skb_one_core net/core/dev.c:6077 [inline]\n __netif_receive_skb+0x72/0x380 net/core/dev.c:6192\n netif_receive_skb_internal net/core/dev.c:6278 [inline]\n netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337\n tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485\n tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0449f8e1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48\nRSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff\nRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8\nRBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001\nR13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003\n \u003c/TASK\u003e\n\nAdd a NULL check immediately after __pskb_copy() to handle allocation\nfailures gracefully.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68776"
},
{
"cve": "CVE-2025-68782",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Reset t_task_cdb pointer in error case\n\nIf allocation of cmd-\u003et_task_cdb fails, it remains NULL but is later\ndereferenced in the \u0027err\u0027 path.\n\nIn case of error, reset NULL t_task_cdb value to point at the default\nfixed-size buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68782"
},
{
"cve": "CVE-2025-68787",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix memory leak in nr_sendmsg()\n\nsyzbot reported a memory leak [1].\n\nWhen function sock_alloc_send_skb() return NULL in nr_output(), the\noriginal skb is not freed, which was allocated in nr_sendmsg(). Fix this\nby freeing it before return.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888129f35500 (size 240):\n comm \"syz.0.17\", pid 6119, jiffies 4294944652\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....\n backtrace (crc 1456a3e4):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4983 [inline]\n slab_alloc_node mm/slub.c:5288 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671\n sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965\n sock_alloc_send_skb include/net/sock.h:1859 [inline]\n nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x293/0x2a0 net/socket.c:1195\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0x143/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68787"
},
{
"cve": "CVE-2025-68788",
"cwe": {
"id": "CWE-360",
"name": "Trust of System Event Data"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: do not generate ACCESS/MODIFY events on child for special files\n\ninotify/fanotify do not allow users with no read access to a file to\nsubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the\nsame user to subscribe for watching events on children when the user\nhas access to the parent directory (e.g. /dev).\n\nUsers with no read access to a file but with read access to its parent\ndirectory can still stat the file and see if it was accessed/modified\nvia atime/mtime change.\n\nThe same is not true for special files (e.g. /dev/null). Users will not\ngenerally observe atime/mtime changes when other users read/write to\nspecial files, only when someone sets atime/mtime via utimensat().\n\nAlign fsnotify events with this stat behavior and do not generate\nACCESS/MODIFY events to parent watchers on read/write of special files.\nThe events are still generated to parent watchers on utimensat(). This\ncloses some side-channels that could be possibly used for information\nexfiltration [1].\n\n[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68788"
},
{
"cve": "CVE-2025-68798",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Check event before enable to avoid GPF\n\nOn AMD machines cpuc-\u003eevents[idx] can become NULL in a subtle race\ncondition with NMI-\u003ethrottle-\u003ex86_pmu_stop().\n\nCheck event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.\nThis appears to be an AMD only issue.\n\nSyzkaller reported a GPF in amd_pmu_enable_all.\n\nINFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143\n msecs\nOops: general protection fault, probably for non-canonical address\n 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]\nCPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk\nRIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195\n arch/x86/events/core.c:1430)\nRSP: 0018:ffff888118009d60 EFLAGS: 00010012\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601\nFS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0\nCall Trace:\n \u003cIRQ\u003e\namd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))\nx86_pmu_enable (arch/x86/events/core.c:1360)\nevent_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186\n kernel/events/core.c:2346)\n__perf_remove_from_context (kernel/events/core.c:2435)\nevent_function (kernel/events/core.c:259)\nremote_function (kernel/events/core.c:92 (discriminator 1)\n kernel/events/core.c:72 (discriminator 1))\n__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64\n kernel/smp.c:135 kernel/smp.c:540)\n__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207\n ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)\nsysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)\n arch/x86/kernel/smp.c:266 (discriminator 47))\n \u003c/IRQ\u003e",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68798"
},
{
"cve": "CVE-2025-68803",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file\u0027s\nmode bits rather than returning the originally-specified ACL.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68803"
},
{
"cve": "CVE-2025-68814",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix filename leak in __io_openat_prep()\n\n __io_openat_prep() allocates a struct filename using getname(). However,\nfor the condition of the file being installed in the fixed file table as\nwell as having O_CLOEXEC flag set, the function returns early. At that\npoint, the request doesn\u0027t have REQ_F_NEED_CLEANUP flag set. Due to this,\nthe memory for the newly allocated struct filename is not cleaned up,\ncausing a memory leak.\n\nFix this by setting the REQ_F_NEED_CLEANUP for the request just after the\nsuccessful getname() call, so that when the request is torn down, the\nfilename will be cleaned up, along with other resources needing cleanup.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68814"
},
{
"cve": "CVE-2025-68816",
"cwe": {
"id": "CWE-134",
"name": "Use of Externally-Controlled Format String"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fw_tracer, Validate format string parameters\n\nAdd validation for format string parameters in the firmware tracer to\nprevent potential security vulnerabilities and crashes from malformed\nformat strings received from firmware.\n\nThe firmware tracer receives format strings from the device firmware and\nuses them to format trace messages. Without proper validation, bad\nfirmware could provide format strings with invalid format specifiers\n(e.g., %s, %p, %n) that could lead to crashes, or other undefined\nbehavior.\n\nAdd mlx5_tracer_validate_params() to validate that all format specifiers\nin trace strings are limited to safe integer/hex formats (%x, %d, %i,\n%u, %llx, %lx, etc.). Reject strings containing other format types that\ncould be used to access arbitrary memory or cause crashes.\nInvalid format strings are added to the trace output for visibility with\n\"BAD_FORMAT: \" prefix.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68816"
},
{
"cve": "CVE-2025-68818",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock. But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n 0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n 0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash. But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68818"
},
{
"cve": "CVE-2025-68820",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: xattr: fix null pointer deref in ext4_raw_inode()\n\nIf ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),\niloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()\nlacks error checking, this will lead to a null pointer dereference\nin ext4_raw_inode(), called right after ext4_get_inode_loc().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-68820"
},
{
"cve": "CVE-2025-71064",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: using the num_tqps in the vf driver to apply for resources\n\nCurrently, hdev-\u003ehtqp is allocated using hdev-\u003enum_tqps, and kinfo-\u003etqp\nis allocated using kinfo-\u003enum_tqps. However, kinfo-\u003enum_tqps is set to\nmin(new_tqps, hdev-\u003enum_tqps); Therefore, kinfo-\u003enum_tqps may be smaller\nthan hdev-\u003enum_tqps, which causes some hdev-\u003ehtqp[i] to remain\nuninitialized in hclgevf_knic_setup().\n\nThus, this patch allocates hdev-\u003ehtqp and kinfo-\u003etqp using hdev-\u003enum_tqps,\nensuring that the lengths of hdev-\u003ehtqp and kinfo-\u003etqp are consistent\nand that all elements are properly initialized.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71064"
},
{
"cve": "CVE-2025-71075",
"cwe": {
"id": "CWE-364",
"name": "Signal Handler Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aic94xx: fix use-after-free in device removal path\n\nThe asd_pci_remove() function fails to synchronize with pending tasklets\nbefore freeing the asd_ha structure, leading to a potential\nuse-after-free vulnerability.\n\nWhen a device removal is triggered (via hot-unplug or module unload),\nrace condition can occur.\n\nThe fix adds tasklet_kill() before freeing the asd_ha structure,\nensuring all scheduled tasklets complete before cleanup proceeds.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71075"
},
{
"cve": "CVE-2025-71079",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n rfkill_fop_write()\n mutex_lock(\u0026rfkill_global_mutex)\n rfkill_set_block()\n nfc_rfkill_set_block()\n nfc_dev_down()\n device_lock(\u0026dev-\u003edev) \u003c- waits for device_lock\n\nThread B (nfc_unregister_device):\n nfc_unregister_device()\n device_lock(\u0026dev-\u003edev)\n rfkill_unregister()\n mutex_lock(\u0026rfkill_global_mutex) \u003c- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock -\u003e\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71079"
},
{
"cve": "CVE-2025-71085",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = \u0026dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg-\u003ecmsg_len = cmsg_len;\n cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, \u0026msg, 0);",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71085"
},
{
"cve": "CVE-2025-71086",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt \u003c\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71086"
},
{
"cve": "CVE-2025-71088",
"cwe": {
"id": "CWE-366",
"name": "Race Condition within a Thread"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fallback earlier on simult connection\n\nSyzkaller reports a simult-connect race leading to inconsistent fallback\nstatus:\n\n WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Modules linked in:\n CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 \u003c0f\u003e 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n Call Trace:\n \u003cTASK\u003e\n tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n dst_input include/net/dst.h:471 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n process_backlog+0x442/0x15e0 net/core/dev.c:6444\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n napi_poll net/core/dev.c:7557 [inline]\n net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n run_ksoftirqd kernel/softirq.c:968 [inline]\n run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n kthread+0x3c2/0x780 kernel/kthread.c:463\n ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe TCP subflow can process the simult-connect syn-ack packet after\ntransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,\nas the sk_state_change() callback is not invoked for * -\u003e FIN_WAIT1\ntransitions.\n\nThat will move the msk socket to an inconsistent status and the next\nincoming data will hit the reported splat.\n\nClose the race moving the simult-fallback check at the earliest possible\nstage - that is at syn-ack generation time.\n\nAbout the fixes tags: [2] was supposed to also fix this issue introduced\nby [3]. [1] is required as a dependence: it was not explicitly marked as\na fix, but it is one and it has already been backported before [3]. In\nother words, this commit should be backported up to [3], including [2]\nand [1] if that\u0027s not already there.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71088"
},
{
"cve": "CVE-2025-71095",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix the crash issue for zero copy XDP_TX action\n\nThere is a crash issue when running zero copy XDP_TX action, the crash\nlog is shown below.\n\n[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000\n[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP\n[ 216.301694] Call trace:\n[ 216.304130] dcache_clean_poc+0x20/0x38 (P)\n[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0\n[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400\n[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368\n[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00\n[ 216.326576] __napi_poll+0x40/0x218\n[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n\nFor XDP_TX action, the xdp_buff is converted to xdp_frame by\nxdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame\ndepends on the memory type of the xdp_buff. For page pool based xdp_buff\nit produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy\nXSK pool based xdp_buff it produces xdp_frame with memory type\nMEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the\nmemory type and always uses the page pool type, this leads to invalid\nmappings and causes the crash. Therefore, check the xdp_buff memory type\nin stmmac_xdp_xmit_back() to fix this issue.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71095"
},
{
"cve": "CVE-2025-71097",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71097"
},
{
"cve": "CVE-2025-71098",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: make ip6gre_header() robust\n\nOver the years, syzbot found many ways to crash the kernel\nin ip6gre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ip6gre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:213 !\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n neigh_output include/net/neighbour.h:556 [inline]\n ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71098"
},
{
"cve": "CVE-2025-71104",
"cwe": {
"id": "CWE-681",
"name": "Incorrect Conversion between Numeric Types"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer\n\nWhen advancing the target expiration for the guest\u0027s APIC timer in periodic\nmode, set the expiration to \"now\" if the target expiration is in the past\n(similar to what is done in update_target_expiration()). Blindly adding\nthe period to the previous target expiration can result in KVM generating\na practically unbounded number of hrtimer IRQs due to programming an\nexpired timer over and over. In extreme scenarios, e.g. if userspace\npauses/suspends a VM for an extended duration, this can even cause hard\nlockups in the host.\n\nCurrently, the bug only affects Intel CPUs when using the hypervisor timer\n(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,\na.k.a. hrtimer, which KVM keeps running even on exits to userspace, the\nHV timer only runs while the guest is active. As a result, if the vCPU\ndoes not run for an extended duration, there will be a huge gap between\nthe target expiration and the current time the vCPU resumes running.\nBecause the target expiration is incremented by only one period on each\ntimer expiration, this leads to a series of timer expirations occurring\nrapidly after the vCPU/VM resumes.\n\nMore critically, when the vCPU first triggers a periodic HV timer\nexpiration after resuming, advancing the expiration by only one period\nwill result in a target expiration in the past. As a result, the delta\nmay be calculated as a negative value. When the delta is converted into\nan absolute value (tscdeadline is an unsigned u64), the resulting value\ncan overflow what the HV timer is capable of programming. I.e. the large\nvalue will exceed the VMX Preemption Timer\u0027s maximum bit width of\ncpu_preemption_timer_multi + 32, and thus cause KVM to switch from the\nHV timer to the software timer (hrtimers).\n\nAfter switching to the software timer, periodic timer expiration callbacks\nmay be executed consecutively within a single clock interrupt handler,\nbecause hrtimers honors KVM\u0027s request for an expiration in the past and\nimmediately re-invokes KVM\u0027s callback after reprogramming. And because\nthe interrupt handler runs with IRQs disabled, restarting KVM\u0027s hrtimer\nover and over until the target expiration is advanced to \"now\" can result\nin a hard lockup.\n\nE.g. the following hard lockup was triggered in the host when running a\nWindows VM (only relevant because it used the APIC timer in periodic mode)\nafter resuming the VM from a long suspend (in the host).\n\n NMI watchdog: Watchdog detected hard LOCKUP on cpu 45\n ...\n RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]\n ...\n RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046\n RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc\n RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500\n RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0\n R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0\n R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8\n FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n apic_timer_fn+0x31/0x50 [kvm]\n __hrtimer_run_queues+0x100/0x280\n hrtimer_interrupt+0x100/0x210\n ? ttwu_do_wakeup+0x19/0x160\n smp_apic_timer_interrupt+0x6a/0x130\n apic_timer_interrupt+0xf/0x20\n \u003c/IRQ\u003e\n\nMoreover, if the suspend duration of the virtual machine is not long enough\nto trigger a hard lockup in this scenario, since commit 98c25ead5eda\n(\"KVM: VMX: Move preemption timer \u003c=\u003e hrtimer dance to common x86\"), KVM\nwill continue using the software timer until the guest reprograms the APIC\ntimer in some way. Since the periodic timer does not require frequent APIC\ntimer register programming, the guest may continue to use the software\ntimer in \n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71104"
},
{
"cve": "CVE-2025-71112",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: add VLAN id validation before using\n\nCurrently, the VLAN id may be used without validation when\nreceive a VLAN configuration mailbox from VF. The length of\nvlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause\nout-of-bounds memory access once the VLAN id is bigger than\nor equal to VLAN_N_VID.\n\nTherefore, VLAN id needs to be checked to ensure it is within\nthe range of VLAN_N_VID.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71112"
},
{
"cve": "CVE-2025-71113",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - zero initialize memory allocated via sock_kmalloc\n\nSeveral crypto user API contexts and requests allocated with\nsock_kmalloc() were left uninitialized, relying on callers to\nset fields explicitly. This resulted in the use of uninitialized\ndata in certain error paths or when new fields are added in the\nfuture.\n\nThe ACVP patches also contain two user-space interface files:\nalgif_kpp.c and algif_akcipher.c. These too rely on proper\ninitialization of their context structures.\n\nA particular issue has been observed with the newly added\n\u0027inflight\u0027 variable introduced in af_alg_ctx by commit:\n\n 67b164a871af (\"crypto: af_alg - Disallow multiple in-flight AIO requests\")\n\nBecause the context is not memset to zero after allocation,\nthe inflight variable has contained garbage values. As a result,\naf_alg_alloc_areq() has incorrectly returned -EBUSY randomly when\nthe garbage value was interpreted as true:\n\n https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209\n\nThe check directly tests ctx-\u003einflight without explicitly\ncomparing against true/false. Since inflight is only ever set to\ntrue or false later, an uninitialized value has triggered\n-EBUSY failures. Zero-initializing memory allocated with\nsock_kmalloc() ensures inflight and other fields start in a known\nstate, removing random issues caused by uninitialized data.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71113"
},
{
"cve": "CVE-2025-71114",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvia_wdt: fix critical boot hang due to unnamed resource allocation\n\nThe VIA watchdog driver uses allocate_resource() to reserve a MMIO\nregion for the watchdog control register. However, the allocated\nresource was not given a name, which causes the kernel resource tree\nto contain an entry marked as \"\u003cBAD\u003e\" under /proc/iomem on x86\nplatforms.\n\nDuring boot, this unnamed resource can lead to a critical hang because\nsubsequent resource lookups and conflict checks fail to handle the\ninvalid entry properly.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71114"
},
{
"cve": "CVE-2025-71120",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71120"
},
{
"cve": "CVE-2025-71123",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix string copying in parse_apply_sb_mount_options()\n\nstrscpy_pad() can\u0027t be used to copy a non-NUL-term string into a NUL-term\nstring of possibly bigger size. Commit 0efc5990bca5 (\"string.h: Introduce\nmemtostr() and memtostr_pad()\") provides additional information in that\nregard. So if this happens, the following warning is observed:\n\nstrnlen: detected buffer overflow: 65 byte read of buffer size 64\nWARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nModules linked in:\nCPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032\nCall Trace:\n \u003cTASK\u003e\n __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039\n strnlen include/linux/fortify-string.h:235 [inline]\n sized_strscpy include/linux/fortify-string.h:309 [inline]\n parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]\n __ext4_fill_super fs/ext4/super.c:5261 [inline]\n ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706\n get_tree_bdev_flags+0x387/0x620 fs/super.c:1636\n vfs_get_tree+0x93/0x380 fs/super.c:1814\n do_new_mount fs/namespace.c:3553 [inline]\n path_mount+0x6ae/0x1f70 fs/namespace.c:3880\n do_mount fs/namespace.c:3893 [inline]\n __do_sys_mount fs/namespace.c:4103 [inline]\n __se_sys_mount fs/namespace.c:4080 [inline]\n __x64_sys_mount+0x280/0x300 fs/namespace.c:4080\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nSince userspace is expected to provide s_mount_opts field to be at most 63\ncharacters long with the ending byte being NUL-term, use a 64-byte buffer\nwhich matches the size of s_mount_opts, so that strscpy_pad() does its job\nproperly. Return with error if the user still managed to provide a\nnon-NUL-term string here.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71123"
},
{
"cve": "CVE-2025-71131",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Do not use req-\u003eiv after crypto_aead_encrypt\n\nAs soon as crypto_aead_encrypt is called, the underlying request\nmay be freed by an asynchronous completion. Thus dereferencing\nreq-\u003eiv after it returns is invalid.\n\nInstead of checking req-\u003eiv against info, create a new variable\nunaligned_info and use it for that purpose instead.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71131"
},
{
"cve": "CVE-2025-71161",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the \u0027D\u0027 state.\n\n2. It doesn\u0027t work. In fec_read_bufs we store data into the variable\n\"fio-\u003ebufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio-\u003ebufs.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71161"
},
{
"cve": "CVE-2025-71162",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra-adma: Fix use-after-free\n\nA use-after-free bug exists in the Tegra ADMA driver when audio streams\nare terminated, particularly during XRUN conditions. The issue occurs\nwhen the DMA buffer is freed by tegra_adma_terminate_all() before the\nvchan completion tasklet finishes accessing it.\n\nThe race condition follows this sequence:\n\n 1. DMA transfer completes, triggering an interrupt that schedules the\n completion tasklet (tasklet has not executed yet)\n 2. Audio playback stops, calling tegra_adma_terminate_all() which\n frees the DMA buffer memory via kfree()\n 3. The scheduled tasklet finally executes, calling vchan_complete()\n which attempts to access the already-freed memory\n\nSince tasklets can execute at any time after being scheduled, there is\nno guarantee that the buffer will remain valid when vchan_complete()\nruns.\n\nFix this by properly synchronizing the virtual channel completion:\n - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the\n descriptors as terminated instead of freeing the descriptor.\n - Add the callback tegra_adma_synchronize() that calls\n vchan_synchronize() which kills any pending tasklets and frees any\n terminated descriptors.\n\nCrash logs:\n[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0\n[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0\n\n[ 337.427562] Call trace:\n[ 337.427564] dump_backtrace+0x0/0x320\n[ 337.427571] show_stack+0x20/0x30\n[ 337.427575] dump_stack_lvl+0x68/0x84\n[ 337.427584] print_address_description.constprop.0+0x74/0x2b8\n[ 337.427590] kasan_report+0x1f4/0x210\n[ 337.427598] __asan_load8+0xa0/0xd0\n[ 337.427603] vchan_complete+0x124/0x3b0\n[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0\n[ 337.427617] tasklet_action+0x30/0x40\n[ 337.427623] __do_softirq+0x1a0/0x5c4\n[ 337.427628] irq_exit+0x110/0x140\n[ 337.427633] handle_domain_irq+0xa4/0xe0\n[ 337.427640] gic_handle_irq+0x64/0x160\n[ 337.427644] call_on_irq_stack+0x20/0x4c\n[ 337.427649] do_interrupt_handler+0x7c/0x90\n[ 337.427654] el1_interrupt+0x30/0x80\n[ 337.427659] el1h_64_irq_handler+0x18/0x30\n[ 337.427663] el1h_64_irq+0x7c/0x80\n[ 337.427667] cpuidle_enter_state+0xe4/0x540\n[ 337.427674] cpuidle_enter+0x54/0x80\n[ 337.427679] do_idle+0x2e0/0x380\n[ 337.427685] cpu_startup_entry+0x2c/0x70\n[ 337.427690] rest_init+0x114/0x130\n[ 337.427695] arch_call_rest_init+0x18/0x24\n[ 337.427702] start_kernel+0x380/0x3b4\n[ 337.427706] __primary_switched+0xc0/0xc8",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71162"
},
{
"cve": "CVE-2025-71163",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: fix device leaks on compat bind and unbind\n\nMake sure to drop the reference taken when looking up the idxd device as\npart of the compat bind and unbind sysfs interface.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71163"
},
{
"cve": "CVE-2025-71185",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: dma-crossbar: fix device leak on am335x route allocation\n\nMake sure to drop the reference taken when looking up the crossbar\nplatform device during am335x route allocation.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71185"
},
{
"cve": "CVE-2025-71186",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: stm32: dmamux: fix device leak on route allocation\n\nMake sure to drop the reference taken when looking up the DMA mux\nplatform device during route allocation.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71186"
},
{
"cve": "CVE-2025-71189",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw: dmamux: fix OF node leak on route allocation failure\n\nMake sure to drop the reference taken to the DMA master OF node also on\nlate route allocation failures.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71189"
},
{
"cve": "CVE-2025-71190",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: bcm-sba-raid: fix device leak on probe\n\nMake sure to drop the reference taken when looking up the mailbox device\nduring probe on probe failures and on driver unbind.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71190"
},
{
"cve": "CVE-2025-71191",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_hdmac: fix device leak on of_dma_xlate()\n\nMake sure to drop the reference taken when looking up the DMA platform\ndevice during of_dma_xlate() when releasing channel resources.\n\nNote that commit 3832b78b3ec2 (\"dmaengine: at_hdmac: add missing\nput_device() call in at_dma_xlate()\") fixed the leak in a couple of\nerror paths but the reference is still leaking on successful allocation.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71191"
},
{
"cve": "CVE-2025-71197",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: therm: Fix off-by-one buffer overflow in alarms_store\n\nThe sysfs buffer passed to alarms_store() is allocated with \u0027size + 1\u0027\nbytes and a NUL terminator is appended. However, the \u0027size\u0027 argument\ndoes not account for this extra byte. The original code then allocated\n\u0027size\u0027 bytes and used strcpy() to copy \u0027buf\u0027, which always writes one\nbyte past the allocated buffer since strcpy() copies until the NUL\nterminator at index \u0027size\u0027.\n\nFix this by parsing the \u0027buf\u0027 parameter directly using simple_strtoll()\nwithout allocating any intermediate memory or string copying. This\nremoves the overflow while simplifying the code.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71197"
},
{
"cve": "CVE-2025-71221",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()\n\nAdd proper locking in mmp_pdma_residue() to prevent use-after-free when\naccessing descriptor list and descriptor contents.\n\nThe race occurs when multiple threads call tx_status() while the tasklet\non another CPU is freeing completed descriptors:\n\nCPU 0 CPU 1\n----- -----\nmmp_pdma_tx_status()\nmmp_pdma_residue()\n -\u003e NO LOCK held\n list_for_each_entry(sw, ..)\n DMA interrupt\n dma_do_tasklet()\n -\u003e spin_lock(\u0026desc_lock)\n list_move(sw-\u003enode, ...)\n spin_unlock(\u0026desc_lock)\n | dma_pool_free(sw) \u003c- FREED!\n -\u003e access sw-\u003edesc \u003c- UAF!\n\nThis issue can be reproduced when running dmatest on the same channel with\nmultiple threads (threads_per_chan \u003e 1).\n\nFix by protecting the chain_running list iteration and descriptor access\nwith the chan-\u003edesc_lock spinlock.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71221"
},
{
"cve": "CVE-2025-71265",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an attribute header\nindicates an empty run list, while directory entries reference it as\ncontaining actual data. In NTFS, setting evcn=-1 with svcn=0 is a valid way\nto represent an empty run list, and run_unpack() correctly handles this by\nchecking if evcn + 1 equals svcn and returning early without parsing any run\ndata. However, this creates a problem when there is metadata inconsistency,\nwhere the attribute header claims to be empty (evcn=-1) but the caller\nexpects to read actual data. When run_unpack() immediately returns success\nupon seeing this condition, it leaves the runs_tree uninitialized with\nrun-\u003eruns as a NULL. The calling function attr_load_runs_range() assumes\nthat a successful return means that the runs were loaded and sets clen to 0,\nexpecting the next run_lookup_entry() call to succeed. Because runs_tree\nremains uninitialized, run_lookup_entry() continues to fail, and the loop\nincrements vcn by zero (vcn += 0), leading to an infinite loop.\n\nThis patch adds a retry counter to detect when run_lookup_entry() fails\nconsecutively after attr_load_runs_vcn(). If the run is still not found on\nthe second attempt, it indicates corrupted metadata and returns -EINVAL,\npreventing the Denial-of-Service (DoS) vulnerability.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71265"
},
{
"cve": "CVE-2025-71266",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: check return value of indx_find to avoid infinite loop\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed dentry in the ntfs3 filesystem can cause the kernel to hang\nduring the lookup operations. By setting the HAS_SUB_NODE flag in an\nINDEX_ENTRY within a directory\u0027s INDEX_ALLOCATION block and manipulating the\nVCN pointer, an attacker can cause the indx_find() function to repeatedly\nread the same block, allocating 4 KB of memory each time. The kernel lacks\nVCN loop detection and depth limits, causing memory exhaustion and an OOM\ncrash.\n\nThis patch adds a return value check for fnd_push() to prevent a memory\nexhaustion vulnerability caused by infinite loops. When the index exceeds the\nsize of the fnd-\u003enodes array, fnd_push() returns -EINVAL. The indx_find()\nfunction checks this return value and stops processing, preventing further\nmemory allocation.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71266"
},
{
"cve": "CVE-2025-71267",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST\n\nWe found an infinite loop bug in the ntfs3 file system that can lead to a\nDenial-of-Service (DoS) condition.\n\nA malformed NTFS image can cause an infinite loop when an ATTR_LIST attribute\nindicates a zero data size while the driver allocates memory for it.\n\nWhen ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set\nto zero, it still allocates memory because of al_aligned(0). This creates an\ninconsistent state where ni-\u003eattr_list.size is zero, but ni-\u003eattr_list.le is\nnon-null. This causes ni_enum_attr_ex to incorrectly assume that no attribute\nlist exists and enumerates only the primary MFT record. When it finds\nATTR_LIST, the code reloads it and restarts the enumeration, repeating\nindefinitely. The mount operation never completes, hanging the kernel thread.\n\nThis patch adds validation to ensure that data_size is non-zero before memory\nallocation. When a zero-sized ATTR_LIST is detected, the function returns\n-EINVAL, preventing a DoS vulnerability.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2025-71267"
},
{
"cve": "CVE-2026-3497",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-3497"
},
{
"cve": "CVE-2026-22977",
"cwe": {
"id": "CWE-489",
"name": "Active Debug Code"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sock: fix hardened usercopy panic in sock_recv_errqueue\n\nskbuff_fclone_cache was created without defining a usercopy region,\n[1] unlike skbuff_head_cache which properly whitelists the cb[] field.\n[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is\nenabled and the kernel attempts to copy sk_buff.cb data to userspace\nvia sock_recv_errqueue() -\u003e put_cmsg().\n\nThe crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()\n (from skbuff_fclone_cache) [1]\n2. The skb is cloned via skb_clone() using the pre-allocated fclone\n[3] 3. The cloned skb is queued to sk_error_queue for timestamp\nreporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)\n5. sock_recv_errqueue() calls put_cmsg() to copy serr-\u003eee from skb-\u003ecb\n[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no\n usercopy whitelist [5]\n\nWhen cloned skbs allocated from skbuff_fclone_cache are used in the\nsocket error queue, accessing the sock_exterr_skb structure in skb-\u003ecb\nvia put_cmsg() triggers a usercopy hardening violation:\n\n[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object \u0027skbuff_fclone_cache\u0027 (offset 296, size 16)!\n[ 5.382796] kernel BUG at mm/usercopy.c:102!\n[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7\n[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80\n[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff \u003c0f\u003e 0b 490\n[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246\n[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74\n[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0\n[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74\n[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001\n[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00\n[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000\n[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0\n[ 5.384903] PKRU: 55555554\n[ 5.384903] Call Trace:\n[ 5.384903] \u003cTASK\u003e\n[ 5.384903] __check_heap_object+0x9a/0xd0\n[ 5.384903] __check_object_size+0x46c/0x690\n[ 5.384903] put_cmsg+0x129/0x5e0\n[ 5.384903] sock_recv_errqueue+0x22f/0x380\n[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? schedule+0x6d/0x270\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 5.384903] ? mutex_unlock+0x81/0xd0\n[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10\n[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10\n[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0\n[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40\n[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5\n\nThe crash offset 296 corresponds to skb2-\u003ecb within skbuff_fclones:\n - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -\n offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =\n 272 + 24 (inside sock_exterr_skb.ee)\n\nThis patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.\n\n[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885\n[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104\n[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566\n[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491\n[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-22977"
},
{
"cve": "CVE-2026-22979",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in skb_segment_list for GRO packets\n\nWhen skb_segment_list() is called during packet forwarding, it handles\npackets that were aggregated by the GRO engine.\n\nHistorically, the segmentation logic in skb_segment_list assumes that\nindividual segments are split from a parent SKB and may need to carry\ntheir own socket memory accounting. Accordingly, the code transfers\ntruesize from the parent to the newly created segments.\n\nPrior to commit ed4cccef64c1 (\"gro: fix ownership transfer\"), this\ntruesize subtraction in skb_segment_list() was valid because fragments\nstill carry a reference to the original socket.\n\nHowever, commit ed4cccef64c1 (\"gro: fix ownership transfer\") changed\nthis behavior by ensuring that fraglist entries are explicitly\norphaned (skb-\u003esk = NULL) to prevent illegal orphaning later in the\nstack. This change meant that the entire socket memory charge remained\nwith the head SKB, but the corresponding accounting logic in\nskb_segment_list() was never updated.\n\nAs a result, the current code unconditionally adds each fragment\u0027s\ntruesize to delta_truesize and subtracts it from the parent SKB. Since\nthe fragments are no longer charged to the socket, this subtraction\nresults in an effective under-count of memory when the head is freed.\nThis causes sk_wmem_alloc to remain non-zero, preventing socket\ndestruction and leading to a persistent memory leak.\n\nThe leak can be observed via KMEMLEAK when tearing down the networking\nenvironment:\n\nunreferenced object 0xffff8881e6eb9100 (size 2048):\n comm \"ping\", pid 6720, jiffies 4295492526\n backtrace:\n kmem_cache_alloc_noprof+0x5c6/0x800\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x35/0xa00\n inet6_create.part.0+0x303/0x10d0\n __sock_create+0x248/0x640\n __sys_socket+0x11b/0x1d0\n\nSince skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST\npackets constructed by GRO, the truesize adjustment is removed.\n\nThe call to skb_release_head_state() must be preserved. As documented in\ncommit cf673ed0e057 (\"net: fix fraglist segmentation reference count\nleak\"), it is still required to correctly drop references to SKB\nextensions that may be overwritten during __copy_skb_header().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-22979"
},
{
"cve": "CVE-2026-22980",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: provide locking for v4_end_grace\n\nWriting to v4_end_grace can race with server shutdown and result in\nmemory being accessed after it was freed - reclaim_str_hashtbl in\nparticularly.\n\nWe cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is\nheld while client_tracking_op-\u003einit() is called and that can wait for\nan upcall to nfsdcltrack which can write to v4_end_grace, resulting in a\ndeadlock.\n\nnfsd4_end_grace() is also called by the landromat work queue and this\ndoesn\u0027t require locking as server shutdown will stop the work and wait\nfor it before freeing anything that nfsd4_end_grace() might access.\n\nHowever, we must be sure that writing to v4_end_grace doesn\u0027t restart\nthe work item after shutdown has already waited for it. For this we\nadd a new flag protected with nn-\u003eclient_lock. It is set only while it\nis safe to make client tracking calls, and v4_end_grace only schedules\nwork while the flag is set with the spinlock held.\n\nSo this patch adds a nfsd_net field \"client_tracking_active\" which is\nset as described. Another field \"grace_end_forced\", is set when\nv4_end_grace is written. After this is set, and providing\nclient_tracking_active is set, the laundromat is scheduled.\nThis \"grace_end_forced\" field bypasses other checks for whether the\ngrace period has finished.\n\nThis resolves a race which can result in use-after-free.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-22980"
},
{
"cve": "CVE-2026-22982",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix crash when adding interface under a lag\n\nCommit 15faa1f67ab4 (\"lan966x: Fix crash when adding interface under a lag\")\nfixed a similar issue in the lan966x driver caused by a NULL pointer dereference.\nThe ocelot_set_aggr_pgids() function in the ocelot driver has similar logic\nand is susceptible to the same crash.\n\nThis issue specifically affects the ocelot_vsc7514.c frontend, which leaves\nunused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as\nit uses the DSA framework which registers all ports.\n\nFix this by checking if the port pointer is valid before accessing it.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-22982"
},
{
"cve": "CVE-2026-22992",
"cwe": {
"id": "CWE-252",
"name": "Unchecked Return Value"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: return the handler error from mon_handle_auth_done()\n\nCurrently any error from ceph_auth_handle_reply_done() is propagated\nvia finish_auth() but isn\u0027t returned from mon_handle_auth_done(). This\nresults in higher layers learning that (despite the monitor considering\nus to be successfully authenticated) something went wrong in the\nauthentication phase and reacting accordingly, but msgr2 still trying\nto proceed with establishing the session in the background. In the\ncase of secure mode this can trigger a WARN in setup_crypto() and later\nlead to a NULL pointer dereference inside of prepare_auth_signature().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-22992"
},
{
"cve": "CVE-2026-22994",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix reference count leak in bpf_prog_test_run_xdp()\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for sit0 to become free. Usage count = 2\n\nproblem. A debug printk() patch found that a refcount is obtained at\nxdp_convert_md_to_buff() from bpf_prog_test_run_xdp().\n\nAccording to commit ec94670fcb3b (\"bpf: Support specifying ingress via\nxdp_md context in BPF_PROG_TEST_RUN\"), the refcount obtained by\nxdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().\n\nTherefore, we can consider that the error handling path introduced by\ncommit 1c1949982524 (\"bpf: introduce frags support to\nbpf_prog_test_run_xdp()\") forgot to call xdp_convert_buff_to_md().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-22994"
},
{
"cve": "CVE-2026-23003",
"cwe": {
"id": "CWE-457",
"name": "Use of Uninitialized Variable"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()\n\nBlamed commit did not take care of VLAN encapsulations\nas spotted by syzbot [1].\n\nUse skb_vlan_inet_prepare() instead of pskb_inet_may_pull().\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729\n __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860\n ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903\n gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1\n ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500\n ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590\n dst_input include/net/dst.h:474 [inline]\n ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:318 [inline]\n ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core net/core/dev.c:6139 [inline]\n __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252\n netif_receive_skb_internal net/core/dev.c:6338 [inline]\n netif_receive_skb+0x57/0x630 net/core/dev.c:6397\n tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485\n tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4960 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315\n kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586\n __alloc_skb+0x805/0x1040 net/core/skbuff.c:690\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712\n sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995\n tun_alloc_skb drivers/net/tun.c:1461 [inline]\n tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794\n tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0xbe2/0x15d0 fs/read_write.c:686\n ksys_write fs/read_write.c:738 [inline]\n __do_sys_write fs/read_write.c:749 [inline]\n __se_sys_write fs/read_write.c:746 [inline]\n __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746\n x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23003"
},
{
"cve": "CVE-2026-23005",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1\n\nWhen loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in\nresponse to a guest WRMSR, clear XFD-disabled features in the saved (or to\nbe restored) XSTATE_BV to ensure KVM doesn\u0027t attempt to load state for\nfeatures that are disabled via the guest\u0027s XFD. Because the kernel\nexecutes XRSTOR with the guest\u0027s XFD, saving XSTATE_BV[i]=1 with XFD[i]=1\nwill cause XRSTOR to #NM and panic the kernel.\n\nE.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \u003cTASK\u003e\n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n switch_fpu_return+0x4a/0xb0\n kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThis can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,\nand a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler\u0027s\ncall to fpu_update_guest_xfd().\n\nand if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:\n\n ------------[ cut here ]------------\n WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:exc_device_not_available+0x101/0x110\n Call Trace:\n \u003cTASK\u003e\n asm_exc_device_not_available+0x1a/0x20\n RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90\n fpu_swap_kvm_fpstate+0x6b/0x120\n kvm_load_guest_fpu+0x30/0x80 [kvm]\n kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]\n kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]\n __x64_sys_ioctl+0x8f/0xd0\n do_syscall_64+0x62/0x940\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nThe new behavior is consistent with the AMX architecture. Per Intel\u0027s SDM,\nXSAVE saves XSTATE_BV as \u00270\u0027 for components that are disabled via XFD\n(and non-compacted XSAVE saves the initial configuration of the state\ncomponent):\n\n If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,\n the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;\n instead, it operates as if XINUSE[i] = 0 (and the state component was\n in its initial state): it saves bit i of XSTATE_BV field of the XSAVE\n header as 0; in addition, XSAVE saves the initial configuration of the\n state component (the other instructions do not save state component i).\n\nAlternatively, KVM could always do XRSTOR with XFD=0, e.g. by using\na constant XFD based on the set of enabled features when XSAVEing for\na struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled\nfeatures can only happen in the above interrupt case, or in similar\nscenarios involving preemption on preemptible kernels, because\nfpu_swap_kvm_fpstate()\u0027s call to save_fpregs_to_fpstate() saves the\noutgoing FPU state with the current XFD; and that is (on all but the\nfirst WRMSR to XFD) the guest XFD.\n\nTherefore, XFD can only go out of sync with XSTATE_BV in the above\ninterrupt case, or in similar scenarios involving preemption on\npreemptible kernels, and it we can consider it (de facto) part of KVM\nABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.\n\n[Move clea\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23005"
},
{
"cve": "CVE-2026-23010",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix use-after-free in inet6_addr_del().\n\nsyzbot reported use-after-free of inet6_ifaddr in\ninet6_addr_del(). [0]\n\nThe cited commit accidentally moved ipv6_del_addr() for\nmngtmpaddr before reading its ifp-\u003eflags for temporary\naddresses in inet6_addr_del().\n\nLet\u0027s move ipv6_del_addr() down to fix the UAF.\n\n[0]:\nBUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\nRead of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593\n\nCPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xcd/0x630 mm/kasan/report.c:482\n kasan_report+0xe0/0x110 mm/kasan/report.c:595\n inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117\n addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181\n inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f164cf8f749\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749\nRDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003\nRBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288\n \u003c/TASK\u003e\n\nAllocated by task 9593:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120\n inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050\n addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160\n inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580\n sock_do_ioctl+0x118/0x280 net/socket.c:1254\n sock_ioctl+0x227/0x6b0 net/socket.c:1375\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6099:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:56\n kasan_save_track+0x14/0x30 mm/kasan/common.c:77\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2540 [inline]\n slab_free_freelist_hook mm/slub.c:2569 [inline]\n slab_free_bulk mm/slub.c:6696 [inline]\n kmem_cache_free_bulk mm/slub.c:7383 [inline]\n kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362\n kfree_bulk include/linux/slab.h:830 [inline]\n kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523\n kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]\n kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801\n process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257\n process_scheduled_works kernel/workqu\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23010"
},
{
"cve": "CVE-2026-23011",
"cwe": {
"id": "CWE-124",
"name": "Buffer Underwrite (\u0027Buffer Underflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_gre: make ipgre_header() robust\n\nAnalog to commit db5b4e39c4e6 (\"ip6_gre: make ip6gre_header() robust\")\n\nOver the years, syzbot found many ways to crash the kernel\nin ipgre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ipgre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0\n kernel BUG at net/core/skbuff.c:213 !\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025\nWorkqueue: mld mld_ifc_work\n RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213\nCall Trace:\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693\n process_one_work kernel/workqueue.c:3257 [inline]\n process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23011"
},
{
"cve": "CVE-2026-23019",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: fix NULL dereference on devlink_alloc() failure\n\ndevlink_alloc() may return NULL on allocation failure, but\nprestera_devlink_alloc() unconditionally calls devlink_priv() on\nthe returned pointer.\n\nThis leads to a NULL pointer dereference if devlink allocation fails.\nAdd a check for a NULL devlink pointer and return NULL early to avoid\nthe crash.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23019"
},
{
"cve": "CVE-2026-23026",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()\n\nFix a memory leak in gpi_peripheral_config() where the original memory\npointed to by gchan-\u003econfig could be lost if krealloc() fails.\n\nThe issue occurs when:\n1. gchan-\u003econfig points to previously allocated memory\n2. krealloc() fails and returns NULL\n3. The function directly assigns NULL to gchan-\u003econfig, losing the\n reference to the original memory\n4. The original memory becomes unreachable and cannot be freed\n\nFix this by using a temporary variable to hold the krealloc() result\nand only updating gchan-\u003econfig when the allocation succeeds.\n\nFound via static analysis and code review.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23026"
},
{
"cve": "CVE-2026-23038",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\npnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()\n\nIn nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,\nthe function jumps to the out_scratch label without freeing the already\nallocated dsaddrs list, leading to a memory leak.\n\nFix this by jumping to the out_err_drain_dsaddrs label, which properly\nfrees the dsaddrs list before cleaning up other resources.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23038"
},
{
"cve": "CVE-2026-23054",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hv_netvsc: reject RSS hash key programming without RX indirection table\n\nRSS configuration requires a valid RX indirection table. When the device\nreports a single receive queue, rndis_filter_device_add() does not\nallocate an indirection table, accepting RSS hash key updates in this\nstate leads to a hang.\n\nFix this by gating netvsc_set_rxfh() on ndc-\u003erx_table_sz and return\n-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device\ncapabilities and prevents incorrect behavior.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23054"
},
{
"cve": "CVE-2026-23060",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - reject too-short AAD (assoclen\u003c8) to match ESP/ESN spec\n\nauthencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than\nthe minimum expected length, crypto_authenc_esn_decrypt() can advance past\nthe end of the destination scatterlist and trigger a NULL pointer dereference\nin scatterwalk_map_and_copy(), leading to a kernel panic (DoS).\n\nAdd a minimum AAD length check to fail fast on invalid inputs.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23060"
},
{
"cve": "CVE-2026-23083",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Don\u0027t allow 0 for FOU_ATTR_IPPROTO.\n\nfou_udp_recv() has the same problem mentioned in the previous\npatch.\n\nIf FOU_ATTR_IPPROTO is set to 0, skb is not freed by\nfou_udp_recv() nor \"resubmit\"-ted in ip_protocol_deliver_rcu().\n\nLet\u0027s forbid 0 for FOU_ATTR_IPPROTO.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23083"
},
{
"cve": "CVE-2026-23084",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list\n\nWhen the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is\nset to false, the driver may request the PMAC_ID from the firmware of the\nnetwork card, and this function will store that PMAC_ID at the provided\naddress pmac_id. This is the contract of this function.\n\nHowever, there is a location within the driver where both\npmac_id_valid == false and pmac_id == NULL are being passed. This could\nresult in dereferencing a NULL pointer.\n\nTo resolve this issue, it is necessary to pass the address of a stub\nvariable to the function.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23084"
},
{
"cve": "CVE-2026-23086",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: cap TX credit to local buffer size\n\nThe virtio transports derives its TX credit directly from peer_buf_alloc,\nwhich is set from the remote endpoint\u0027s SO_VM_SOCKETS_BUFFER_SIZE value.\n\nOn the host side this means that the amount of data we are willing to\nqueue for a connection is scaled by a guest-chosen buffer size, rather\nthan the host\u0027s own vsock configuration. A malicious guest can advertise\na large buffer and read slowly, causing the host to allocate a\ncorrespondingly large amount of sk_buff memory.\nThe same thing would happen in the guest with a malicious host, since\nvirtio transports share the same code base.\n\nIntroduce a small helper, virtio_transport_tx_buf_size(), that\nreturns min(peer_buf_alloc, buf_alloc), and use it wherever we consume\npeer_buf_alloc.\n\nThis ensures the effective TX window is bounded by both the peer\u0027s\nadvertised buffer and our own buf_alloc (already clamped to\nbuffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer\ncannot force the other to queue more data than allowed by its own\nvsock settings.\n\nOn an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with\n32 guest vsock connections advertising 2 GiB each and reading slowly\ndrove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only\nrecovered after killing the QEMU process. That said, if QEMU memory is\nlimited with cgroups, the maximum memory used will be limited.\n\nWith this patch applied:\n\n Before:\n MemFree: ~61.6 GiB\n Slab: ~142 MiB\n SUnreclaim: ~117 MiB\n\n After 32 high-credit connections:\n MemFree: ~61.5 GiB\n Slab: ~178 MiB\n SUnreclaim: ~152 MiB\n\nOnly ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest\nremains responsive.\n\nCompatibility with non-virtio transports:\n\n - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per\n socket based on the local vsk-\u003ebuffer_* values; the remote side\n cannot enlarge those queues beyond what the local endpoint\n configured.\n\n - Hyper-V\u0027s vsock transport uses fixed-size VMBus ring buffers and\n an MTU bound; there is no peer-controlled credit field comparable\n to peer_buf_alloc, and the remote endpoint cannot drive in-flight\n kernel memory above those ring sizes.\n\n - The loopback path reuses virtio_transport_common.c, so it\n naturally follows the same semantics as the virtio transport.\n\nThis change is limited to virtio_transport_common.c and thus affects\nvirtio-vsock, vhost-vsock, and loopback, bringing them in line with the\n\"remote window intersected with local policy\" behaviour that VMCI and\nHyper-V already effectively have.\n\n[Stefano: small adjustments after changing the previous patch]\n[Stefano: tweak the commit message]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23086"
},
{
"cve": "CVE-2026-23087",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: xen: scsiback: Fix potential memory leak in scsiback_remove()\n\nMemory allocated for struct vscsiblk_info in scsiback_probe() is not\nfreed in scsiback_remove() leading to potential memory leaks on remove,\nas well as in the scsiback_probe() error paths. Fix that by freeing it\nin scsiback_remove().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23087"
},
{
"cve": "CVE-2026-23095",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ngue: Fix skb memleak with inner IP protocol 0.\n\nsyzbot reported skb memleak below. [0]\n\nThe repro generated a GUE packet with its inner protocol 0.\n\ngue_udp_recv() returns -guehdr-\u003eproto_ctype for \"resubmit\"\nin ip_protocol_deliver_rcu(), but this only works with\nnon-zero protocol number.\n\nLet\u0027s drop such packets.\n\nNote that 0 is a valid number (IPv6 Hop-by-Hop Option).\n\nI think it is not practical to encap HOPOPT in GUE, so once\nsomeone starts to complain, we could pass down a resubmit\nflag pointer to distinguish two zeros from the upper layer:\n\n * no error\n * resubmit HOPOPT\n\n[0]\nBUG: memory leak\nunreferenced object 0xffff888109695a00 (size 240):\n comm \"syz.0.17\", pid 6088, jiffies 4294943096\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............\n backtrace (crc a84b336f):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4958 [inline]\n slab_alloc_node mm/slub.c:5263 [inline]\n kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270\n __build_skb+0x23/0x60 net/core/skbuff.c:474\n build_skb+0x20/0x190 net/core/skbuff.c:490\n __tun_build_skb drivers/net/tun.c:1541 [inline]\n tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636\n tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770\n tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0xa7/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23095"
},
{
"cve": "CVE-2026-23100",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix hugetlb_pmd_shared()\n\nPatch series \"mm/hugetlb: fixes for PMD table sharing (incl. using\nmmu_gather)\", v3.\n\nOne functional fix, one performance regression fix, and two related\ncomment fixes.\n\nI cleaned up my prototype I recently shared [1] for the performance fix,\ndeferring most of the cleanups I had in the prototype to a later point. \nWhile doing that I identified the other things.\n\nThe goal of this patch set is to be backported to stable trees \"fairly\"\neasily. At least patch #1 and #4.\n\nPatch #1 fixes hugetlb_pmd_shared() not detecting any sharing\nPatch #2 + #3 are simple comment fixes that patch #4 interacts with.\nPatch #4 is a fix for the reported performance regression due to excessive\nIPI broadcasts during fork()+exit().\n\nThe last patch is all about TLB flushes, IPIs and mmu_gather.\nRead: complicated\n\nThere are plenty of cleanups in the future to be had + one reasonable\noptimization on x86. But that\u0027s all out of scope for this series.\n\nRuntime tested, with a focus on fixing the performance regression using\nthe original reproducer [2] on x86.\n\n\nThis patch (of 4):\n\nWe switched from (wrongly) using the page count to an independent shared\ncount. Now, shared page tables have a refcount of 1 (excluding\nspeculative references) and instead use ptdesc-\u003ept_share_count to identify\nsharing.\n\nWe didn\u0027t convert hugetlb_pmd_shared(), so right now, we would never\ndetect a shared PMD table as such, because sharing/unsharing no longer\ntouches the refcount of a PMD table.\n\nPage migration, like mbind() or migrate_pages() would allow for migrating\nfolios mapped into such shared PMD tables, even though the folios are not\nexclusive. In smaps we would account them as \"private\" although they are\n\"shared\", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the\npagemap interface.\n\nFix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23100"
},
{
"cve": "CVE-2026-23103",
"cwe": {
"id": "CWE-413",
"name": "Improper Resource Locking"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Make the addrs_lock be per port\n\nMake the addrs_lock be per port, not per ipvlan dev.\n\nInitial code seems to be written in the assumption,\nthat any address change must occur under RTNL.\nBut it is not so for the case of IPv6. So\n\n1) Introduce per-port addrs_lock.\n\n2) It was needed to fix places where it was forgotten\nto take lock (ipvlan_open/ipvlan_close)\n\nThis appears to be a very minor problem though.\nSince it\u0027s highly unlikely that ipvlan_add_addr() will\nbe called on 2 CPU simultaneously. But nevertheless,\nthis could cause:\n\n1) False-negative of ipvlan_addr_busy(): one interface\niterated through all port-\u003eipvlans + ipvlan-\u003eaddrs\nunder some ipvlan spinlock, and another added IP\nunder its own lock. Though this is only possible\nfor IPv6, since looks like only ipvlan_addr6_event() can be\ncalled without rtnl_lock.\n\n2) Race since ipvlan_ht_addr_add(port) is called under\ndifferent ipvlan-\u003eaddrs_lock locks\n\nThis should not affect performance, since add/remove IP\nis a rare situation and spinlock is not taken on fast\npaths.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23103"
},
{
"cve": "CVE-2026-23110",
"cwe": {
"id": "CWE-821",
"name": "Incorrect Synchronization"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Wake up the error handler when final completions race against each other\n\nThe fragile ordering between marking commands completed or failed so\nthat the error handler only wakes when the last running command\ncompletes or times out has race conditions. These race conditions can\ncause the SCSI layer to fail to wake the error handler, leaving I/O\nthrough the SCSI host stuck as the error state cannot advance.\n\nFirst, there is an memory ordering issue within scsi_dec_host_busy().\nThe write which clears SCMD_STATE_INFLIGHT may be reordered with reads\ncounting in scsi_host_busy(). While the local CPU will see its own\nwrite, reordering can allow other CPUs in scsi_dec_host_busy() or\nscsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to\nsee a host busy equal to the host_failed count.\n\nThis race condition can be prevented with a memory barrier on the error\npath to force the write to be visible before counting host busy\ncommands.\n\nSecond, there is a general ordering issue with scsi_eh_inc_host_failed(). By\ncounting busy commands before incrementing host_failed, it can race with a\nfinal command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does\nnot see host_failed incremented but scsi_eh_inc_host_failed() counts busy\ncommands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(),\nresulting in neither waking the error handler task.\n\nThis needs the call to scsi_host_busy() to be moved after host_failed is\nincremented to close the race condition.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23110"
},
{
"cve": "CVE-2026-23111",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n nft_mapelem_activate():\n if (nft_set_elem_active(ext, iter-\u003egenmask))\n return 0; /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n nft_map_catchall_activate():\n if (!nft_set_elem_active(ext, genmask))\n continue; /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23111"
},
{
"cve": "CVE-2026-23113",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop\n\nCurrently this is checked before running the pending work. Normally this\nis quite fine, as work items either end up blocking (which will create a\nnew worker for other items), or they complete fairly quickly. But syzbot\nreports an issue where io-wq takes seemingly forever to exit, and with a\nbit of debugging, this turns out to be because it queues a bunch of big\n(2GB - 4096b) reads with a /dev/msr* file. Since this file type doesn\u0027t\nsupport -\u003eread_iter(), loop_rw_iter() ends up handling them. Each read\nreturns 16MB of data read, which takes 20 (!!) seconds. With a bunch of\nthese pending, processing the whole chain can take a long time. Easily\nlonger than the syzbot uninterruptible sleep timeout of 140 seconds.\nThis then triggers a complaint off the io-wq exit path:\n\nINFO: task syz.4.135:6326 blocked for more than 143 seconds.\n Not tainted syzkaller #0\n Blocked by coredump.\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:syz.4.135 state:D stack:26824 pid:6326 tgid:6324 ppid:5957 task_flags:0x400548 flags:0x00080000\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5256 [inline]\n __schedule+0x1139/0x6150 kernel/sched/core.c:6863\n __schedule_loop kernel/sched/core.c:6945 [inline]\n schedule+0xe7/0x3a0 kernel/sched/core.c:6960\n schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75\n do_wait_for_common kernel/sched/completion.c:100 [inline]\n __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121\n io_wq_exit_workers io_uring/io-wq.c:1328 [inline]\n io_wq_put_and_exit+0x271/0x8a0 io_uring/io-wq.c:1356\n io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203\n io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651\n io_uring_files_cancel include/linux/io_uring.h:19 [inline]\n do_exit+0x2ce/0x2bd0 kernel/exit.c:911\n do_group_exit+0xd3/0x2a0 kernel/exit.c:1112\n get_signal+0x2671/0x26d0 kernel/signal.c:3034\n arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337\n __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]\n exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75\n __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]\n syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]\n do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fa02738f749\nRSP: 002b:00007fa0281ae0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca\nRAX: fffffffffffffe00 RBX: 00007fa0275e6098 RCX: 00007fa02738f749\nRDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fa0275e6098\nRBP: 00007fa0275e6090 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fa0275e6128 R14: 00007fff14e4fcb0 R15: 00007fff14e4fd98\n\nThere\u0027s really nothing wrong here, outside of processing these reads\nwill take a LONG time. However, we can speed up the exit by checking the\nIO_WQ_BIT_EXIT inside the io_worker_handle_work() loop, as syzbot will\nexit the ring after queueing up all of these reads. Then once the first\nitem is processed, io-wq will simply cancel the rest. That should avoid\nsyzbot running into this complaint again.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23113"
},
{
"cve": "CVE-2026-23154",
"cwe": {
"id": "CWE-237",
"name": "Improper Handling of Structural Elements"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix segmentation of forwarding fraglist GRO\n\nThis patch enhances GSO segment handling by properly checking\nthe SKB_GSO_DODGY flag for frag_list GSO packets, addressing\nlow throughput issues observed when a station accesses IPv4\nservers via hotspots with an IPv6-only upstream interface.\n\nSpecifically, it fixes a bug in GSO segmentation when forwarding\nGRO packets containing a frag_list. The function skb_segment_list\ncannot correctly process GRO skbs that have been converted by XLAT,\nsince XLAT only translates the header of the head skb. Consequently,\nskbs in the frag_list may remain untranslated, resulting in protocol\ninconsistencies and reduced throughput.\n\nTo address this, the patch explicitly sets the SKB_GSO_DODGY flag\nfor GSO packets in XLAT\u0027s IPv4/IPv6 protocol translation helpers\n(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO\npackets as potentially modified after protocol translation. As a\nresult, GSO segmentation will avoid using skb_segment_list and\ninstead falls back to skb_segment for packets with the SKB_GSO_DODGY\nflag. This ensures that only safe and fully translated frag_list\npackets are processed by skb_segment_list, resolving protocol\ninconsistencies and improving throughput when forwarding GRO packets\nconverted by XLAT.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23154"
},
{
"cve": "CVE-2026-23204",
"cwe": {
"id": "CWE-1285",
"name": "Improper Validation of Specified Index, Position, or Offset in Input"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23204"
},
{
"cve": "CVE-2026-23231",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix use-after-free in nf_tables_addchain()\n\nnf_tables_addchain() publishes the chain to table-\u003echains via\nlist_add_tail_rcu() (in nft_chain_add()) before registering hooks.\nIf nf_tables_register_hook() then fails, the error path calls\nnft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy()\nwith no RCU grace period in between.\n\nThis creates two use-after-free conditions:\n\n 1) Control-plane: nf_tables_dump_chains() traverses table-\u003echains\n under rcu_read_lock(). A concurrent dump can still be walking\n the chain when the error path frees it.\n\n 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly\n installs the IPv4 hook before IPv6 registration fails. Packets\n entering nft_do_chain() via the transient IPv4 hook can still be\n dereferencing chain-\u003eblob_gen_X when the error path frees the\n chain.\n\nAdd synchronize_rcu() between nft_chain_del() and the chain destroy\nso that all RCU readers -- both dump threads and in-flight packet\nevaluation -- have finished before the chain is freed.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23231"
},
{
"cve": "CVE-2026-23242",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix potential NULL pointer dereference in header processing\n\nIf siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(),\nqp-\u003erx_fpdu can be NULL. The error path in siw_tcp_rx_data()\ndereferences qp-\u003erx_fpdu-\u003emore_ddp_segs without checking, which\nmay lead to a NULL pointer deref. Only check more_ddp_segs when\nrx_fpdu is present.\n\nKASAN splat:\n[ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]\n[ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23242"
},
{
"cve": "CVE-2026-23243",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/umad: Reject negative data_len in ib_umad_write\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[ 211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[ 211.365867] ib_create_send_mad+0xa01/0x11b0\n[ 211.365887] ib_umad_write+0x853/0x1c80",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23243"
},
{
"cve": "CVE-2026-23245",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_gate: snapshot parameters with RCU on replace\n\nThe gate action can be replaced while the hrtimer callback or dump path is\nwalking the schedule list.\n\nConvert the parameters to an RCU-protected snapshot and swap updates under\ntcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits\nthe entry list, preserve the existing schedule so the effective state is\nunchanged.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23245"
},
{
"cve": "CVE-2026-23270",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks\n\nAs Paolo said earlier [1]:\n\n\"Since the blamed commit below, classify can return TC_ACT_CONSUMED while\nthe current skb being held by the defragmentation engine. As reported by\nGangMin Kim, if such packet is that may cause a UaF when the defrag engine\nlater on tries to tuch again such packet.\"\n\nact_ct was never meant to be used in the egress path, however some users\nare attaching it to egress today [2]. Attempting to reach a middle\nground, we noticed that, while most qdiscs are not handling\nTC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we\naddress the issue by only allowing act_ct to bind to clsact/ingress\nqdiscs and shared blocks. That way it\u0027s still possible to attach act_ct to\negress (albeit only with clsact).\n\n[1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/\n[2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23270"
},
{
"cve": "CVE-2026-23271",
"cwe": {
"id": "CWE-672",
"name": "Operation on a Resource after Expiration or Release"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix __perf_event_overflow() vs perf_remove_from_context() race\n\nMake sure that __perf_event_overflow() runs with IRQs disabled for all\npossible callchains. Specifically the software events can end up running\nit with only preemption disabled.\n\nThis opens up a race vs perf_event_exit_event() and friends that will go\nand free various things the overflow path expects to be present, like\nthe BPF program.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23271"
},
{
"cve": "CVE-2026-23273",
"cwe": {
"id": "CWE-364",
"name": "Signal Handler Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: observe an RCU grace period in macvlan_common_newlink() error path\n\nvalis reported that a race condition still happens after my prior patch.\n\nmacvlan_common_newlink() might have made @dev visible before\ndetecting an error, and its caller will directly call free_netdev(dev).\n\nWe must respect an RCU period, either in macvlan or the core networking\nstack.\n\nAfter adding a temporary mdelay(1000) in macvlan_forward_source_one()\nto open the race window, valis repro was:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\n\n(ip link add invalid% link p2 type macvlan mode source macaddr add\n00:00:00:00:00:20 \u0026) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4\nPING 1.2.3.4 (1.2.3.4): 56 data bytes\nRTNETLINK answers: Invalid argument\n\nBUG: KASAN: slab-use-after-free in macvlan_forward_source\n(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nRead of size 8 at addr ffff888016bb89c0 by task e/175\n\nCPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nkasan_report (mm/kasan/report.c:597)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nmacvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\n? tasklet_init (kernel/softirq.c:983)\nmacvlan_handle_frame (drivers/net/macvlan.c:501)\n\nAllocated by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657\nmm/slub.c:7140)\nalloc_netdev_mqs (net/core/dev.c:12012)\nrtnl_create_link (net/core/rtnetlink.c:3648)\nrtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nFreed by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_free_info (mm/kasan/generic.c:587)\n__kasan_slab_free (mm/kasan/common.c:287)\nkfree (mm/slub.c:6674 mm/slub.c:6882)\nrtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23273"
},
{
"cve": "CVE-2026-23274",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer-\u003etimer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer-\u003etimer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23274"
},
{
"cve": "CVE-2026-23277",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit\n\nteql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit\nthrough slave devices, but does not update skb-\u003edev to the slave device\nbeforehand.\n\nWhen a gretap tunnel is a TEQL slave, the transmit path reaches\niptunnel_xmit() which saves dev = skb-\u003edev (still pointing to teql0\nmaster) and later calls iptunnel_xmit_stats(dev, pkt_len). This\nfunction does:\n\n get_cpu_ptr(dev-\u003etstats)\n\nSince teql_master_setup() does not set dev-\u003epcpu_stat_type to\nNETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats\nfor teql0, so dev-\u003etstats is NULL. get_cpu_ptr(NULL) computes\nNULL + __per_cpu_offset[cpu], resulting in a page fault.\n\n BUG: unable to handle page fault for address: ffff8880e6659018\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 68bc067 P4D 68bc067 PUD 0\n Oops: Oops: 0002 [#1] SMP KASAN PTI\n RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)\n Call Trace:\n \u003cTASK\u003e\n ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n __gre_xmit (net/ipv4/ip_gre.c:478)\n gre_tap_xmit (net/ipv4/ip_gre.c:779)\n teql_master_xmit (net/sched/sch_teql.c:319)\n dev_hard_start_xmit (net/core/dev.c:3887)\n sch_direct_xmit (net/sched/sch_generic.c:347)\n __dev_queue_xmit (net/core/dev.c:4802)\n neigh_direct_output (net/core/neighbour.c:1660)\n ip_finish_output2 (net/ipv4/ip_output.c:237)\n __ip_finish_output.part.0 (net/ipv4/ip_output.c:315)\n ip_mc_output (net/ipv4/ip_output.c:369)\n ip_send_skb (net/ipv4/ip_output.c:1508)\n udp_send_skb (net/ipv4/udp.c:1195)\n udp_sendmsg (net/ipv4/udp.c:1485)\n inet_sendmsg (net/ipv4/af_inet.c:859)\n __sys_sendto (net/socket.c:2206)\n\nFix this by setting skb-\u003edev = slave before calling\nnetdev_start_xmit(), so that tunnel xmit functions see the correct\nslave device with properly allocated tstats.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23277"
},
{
"cve": "CVE-2026-23284",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()\n\nReset eBPF program pointer to old_prog and do not decrease its ref-count\nif mtk_open routine in mtk_xdp_setup() fails.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23284"
},
{
"cve": "CVE-2026-23287",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/sifive-plic: Fix frozen interrupt due to affinity setting\n\nPLIC ignores interrupt completion message for disabled interrupt, explained\nby the specification:\n\n The PLIC signals it has completed executing an interrupt handler by\n writing the interrupt ID it received from the claim to the\n claim/complete register. The PLIC does not check whether the completion\n ID is the same as the last claim ID for that target. If the completion\n ID does not match an interrupt source that is currently enabled for\n the target, the completion is silently ignored.\n\nThis caused problems in the past, because an interrupt can be disabled\nwhile still being handled and plic_irq_eoi() had no effect. That was fixed\nby checking if the interrupt is disabled, and if so enable it, before\nsending the completion message. That check is done with irqd_irq_disabled().\n\nHowever, that is not sufficient because the enable bit for the handling\nhart can be zero despite irqd_irq_disabled(d) being false. This can happen\nwhen affinity setting is changed while a hart is still handling the\ninterrupt.\n\nThis problem is easily reproducible by dumping a large file to uart (which\ngenerates lots of interrupts) and at the same time keep changing the uart\ninterrupt\u0027s affinity setting. The uart port becomes frozen almost\ninstantaneously.\n\nFix this by checking PLIC\u0027s enable bit instead of irqd_irq_disabled().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23287"
},
{
"cve": "CVE-2026-23290",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: pegasus: validate USB endpoints\n\nThe pegasus driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23290"
},
{
"cve": "CVE-2026-23293",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. If an IPv6 packet is injected into the interface,\nroute_shortcircuit() is called and a NULL pointer dereference happens on\nneigh_lookup().\n\n BUG: kernel NULL pointer dereference, address: 0000000000000380\n Oops: Oops: 0000 [#1] SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x20/0x270\n [...]\n Call Trace:\n \u003cTASK\u003e\n vxlan_xmit+0x638/0x1ef0 [vxlan]\n dev_hard_start_xmit+0x9e/0x2e0\n __dev_queue_xmit+0xbee/0x14e0\n packet_sendmsg+0x116f/0x1930\n __sys_sendto+0x1f5/0x200\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x12f/0x1590\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix this by adding an early check on route_shortcircuit() when protocol\nis ETH_P_IPV6. Note that ipv6_mod_enabled() cannot be used here because\nVXLAN can be built-in even when IPv6 is built as a module.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23293"
},
{
"cve": "CVE-2026-23300",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop\n\nWhen a standalone IPv6 nexthop object is created with a loopback device\n(e.g., \"ip -6 nexthop add id 100 dev lo\"), fib6_nh_init() misclassifies\nit as a reject route. This is because nexthop objects have no destination\nprefix (fc_dst=::), causing fib6_is_reject() to match any loopback\nnexthop. The reject path skips fib_nh_common_init(), leaving\nnhc_pcpu_rth_output unallocated. If an IPv4 route later references this\nnexthop, __mkroute_output() dereferences NULL nhc_pcpu_rth_output and\npanics.\n\nSimplify the check in fib6_nh_init() to only match explicit reject\nroutes (RTF_REJECT) instead of using fib6_is_reject(). The loopback\npromotion heuristic in fib6_is_reject() is handled separately by\nip6_route_info_create_nh(). After this change, the three cases behave\nas follows:\n\n1. Explicit reject route (\"ip -6 route add unreachable 2001:db8::/64\"):\n RTF_REJECT is set, enters reject path, skips fib_nh_common_init().\n No behavior change.\n\n2. Implicit loopback reject route (\"ip -6 route add 2001:db8::/32 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. ip6_route_info_create_nh() still promotes it to reject\n afterward. nhc_pcpu_rth_output is allocated but unused, which is\n harmless.\n\n3. Standalone nexthop object (\"ip -6 nexthop add id 100 dev lo\"):\n RTF_REJECT is not set, takes normal path, fib_nh_common_init() is\n called. nhc_pcpu_rth_output is properly allocated, fixing the crash\n when IPv4 routes reference this nexthop.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23300"
},
{
"cve": "CVE-2026-23304",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()\n\nl3mdev_master_dev_rcu() can return NULL when the slave device is being\nun-slaved from a VRF. All other callers deal with this, but we lost\nthe fallback to loopback in ip6_rt_pcpu_alloc() -\u003e ip6_rt_get_dev_rcu()\nwith commit 4832c30d5458 (\"net: ipv6: put host and anycast routes on\ndevice with address\").\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:ip6_rt_pcpu_alloc (net/ipv6/route.c:1418)\n Call Trace:\n ip6_pol_route (net/ipv6/route.c:2318)\n fib6_rule_lookup (net/ipv6/fib6_rules.c:115)\n ip6_route_output_flags (net/ipv6/route.c:2607)\n vrf_process_v6_outbound (drivers/net/vrf.c:437)\n\nI was tempted to rework the un-slaving code to clear the flag first\nand insert synchronize_rcu() before we remove the upper. But looks like\nthe explicit fallback to loopback_dev is an established pattern.\nAnd I guess avoiding the synchronize_rcu() is nice, too.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23304"
},
{
"cve": "CVE-2026-23319",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim\n\nThe root cause of this bug is that when \u0027bpf_link_put\u0027 reduces the\nrefcount of \u0027shim_link-\u003elink.link\u0027 to zero, the resource is considered\nreleased but may still be referenced via \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027cgroup_shim_find\u0027. The actual cleanup of \u0027tr-\u003eprogs_hlist\u0027 in\n\u0027bpf_shim_tramp_link_release\u0027 is deferred. During this window, another\nprocess can cause a use-after-free via \u0027bpf_trampoline_link_cgroup_shim\u0027.\n\nBased on Martin KaFai Lau\u0027s suggestions, I have created a simple patch.\n\nTo fix this:\n Add an atomic non-zero check in \u0027bpf_trampoline_link_cgroup_shim\u0027.\n Only increment the refcount if it is not already zero.\n\nTesting:\n I verified the fix by adding a delay in\n \u0027bpf_shim_tramp_link_release\u0027 to make the bug easier to trigger:\n\nstatic void bpf_shim_tramp_link_release(struct bpf_link *link)\n{\n\t/* ... */\n\tif (!shim_link-\u003etrampoline)\n\t\treturn;\n\n+\tmsleep(100);\n\tWARN_ON_ONCE(bpf_trampoline_unlink_prog(\u0026shim_link-\u003elink,\n\t\tshim_link-\u003etrampoline, NULL));\n\tbpf_trampoline_put(shim_link-\u003etrampoline);\n}\n\nBefore the patch, running a PoC easily reproduced the crash(almost 100%)\nwith a call trace similar to KaiyanM\u0027s report.\nAfter the patch, the bug no longer occurs even after millions of\niterations.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23319"
},
{
"cve": "CVE-2026-23321",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: in-kernel: always mark signal+subflow endp as used\n\nSyzkaller managed to find a combination of actions that was generating\nthis warning:\n\n msk-\u003epm.local_addr_used == 0\n WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline], CPU#1: syz.2.17/961\n WARNING: net/mptcp/pm_kernel.c:1071 at mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210, CPU#1: syz.2.17/961\n Modules linked in:\n CPU: 1 UID: 0 PID: 961 Comm: syz.2.17 Not tainted 6.19.0-08368-gfafda3b4b06b #22 PREEMPT(full)\n Hardware name: QEMU Ubuntu 25.10 PC v2 (i440FX + PIIX, + 10.1 machine, 1996), BIOS 1.17.0-debian-1.17.0-1build1 04/01/2014\n RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline]\n RIP: 0010:mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_kernel.c:1103 [inline]\n RIP: 0010:mptcp_pm_nl_del_addr_doit+0x81d/0x8f0 net/mptcp/pm_kernel.c:1210\n Code: 89 c5 e8 46 30 6f fe e9 21 fd ff ff 49 83 ed 80 e8 38 30 6f fe 4c 89 ef be 03 00 00 00 e8 db 49 df fe eb ac e8 24 30 6f fe 90 \u003c0f\u003e 0b 90 e9 1d ff ff ff e8 16 30 6f fe eb 05 e8 0f 30 6f fe e8 9a\n RSP: 0018:ffffc90001663880 EFLAGS: 00010293\n RAX: ffffffff82de1a6c RBX: 0000000000000000 RCX: ffff88800722b500\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffff8880158b22d0 R08: 0000000000010425 R09: ffffffffffffffff\n R10: ffffffff82de18ba R11: 0000000000000000 R12: ffff88800641a640\n R13: ffff8880158b1880 R14: ffff88801ec3c900 R15: ffff88800641a650\n FS: 00005555722c3500(0000) GS:ffff8880f909d000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f66346e0f60 CR3: 000000001607c000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x4aa/0x5b0 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0xc9/0xf0 net/socket.c:742\n ____sys_sendmsg+0x272/0x3b0 net/socket.c:2592\n ___sys_sendmsg+0x2de/0x320 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x143/0x440 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f66346f826d\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007ffc83d8bdc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f6634985fa0 RCX: 00007f66346f826d\n RDX: 00000000040000b0 RSI: 0000200000000740 RDI: 0000000000000007\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6634985fa8\n R13: 00007f6634985fac R14: 0000000000000000 R15: 0000000000001770\n \u003c/TASK\u003e\n\nThe actions that caused that seem to be:\n\n - Set the MPTCP subflows limit to 0\n - Create an MPTCP endpoint with both the \u0027signal\u0027 and \u0027subflow\u0027 flags\n - Create a new MPTCP connection from a different address: an ADD_ADDR\n linked to the MPTCP endpoint will be sent (\u0027signal\u0027 flag), but no\n subflows is initiated (\u0027subflow\u0027 flag)\n - Remove the MPTCP endpoint\n\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23321"
},
{
"cve": "CVE-2026-23335",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()\n\nstruct irdma_create_ah_resp { // 8 bytes, no padding\n __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah-\u003esc_ah.ah_info.ah_idx)\n __u8 rsvd[4]; // offset 4 - NEVER SET \u003c- LEAK\n};\n\nrsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata().\n\nThe reserved members of the structure were not zeroed.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23335"
},
{
"cve": "CVE-2026-23340",
"cwe": {
"id": "CWE-364",
"name": "Signal Handler Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs\n\nWhen shrinking the number of real tx queues,\nnetif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush\nqdiscs for queues which will no longer be used.\n\nqdisc_reset_all_tx_gt() currently serializes qdisc_reset() with\nqdisc_lock(). However, for lockless qdiscs, the dequeue path is\nserialized by qdisc_run_begin/end() using qdisc-\u003eseqlock instead, so\nqdisc_reset() can run concurrently with __qdisc_run() and free skbs\nwhile they are still being dequeued, leading to UAF.\n\nThis can easily be reproduced on e.g. virtio-net by imposing heavy\ntraffic while frequently changing the number of queue pairs:\n\n iperf3 -ub0 -c $peer -t 0 \u0026\n while :; do\n ethtool -L eth0 combined 1\n ethtool -L eth0 combined 2\n done\n\nWith KASAN enabled, this leads to reports like:\n\n BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760\n ...\n Call Trace:\n \u003cTASK\u003e\n ...\n __qdisc_run+0x133f/0x1760\n __dev_queue_xmit+0x248f/0x3550\n ip_finish_output2+0xa42/0x2110\n ip_output+0x1a7/0x410\n ip_send_skb+0x2e6/0x480\n udp_send_skb+0xb0a/0x1590\n udp_sendmsg+0x13c9/0x1fc0\n ...\n \u003c/TASK\u003e\n\n Allocated by task 1270 on cpu 5 at 44.558414s:\n ...\n alloc_skb_with_frags+0x84/0x7c0\n sock_alloc_send_pskb+0x69a/0x830\n __ip_append_data+0x1b86/0x48c0\n ip_make_skb+0x1e8/0x2b0\n udp_sendmsg+0x13a6/0x1fc0\n ...\n\n Freed by task 1306 on cpu 3 at 44.558445s:\n ...\n kmem_cache_free+0x117/0x5e0\n pfifo_fast_reset+0x14d/0x580\n qdisc_reset+0x9e/0x5f0\n netif_set_real_num_tx_queues+0x303/0x840\n virtnet_set_channels+0x1bf/0x260 [virtio_net]\n ethnl_set_channels+0x684/0xae0\n ethnl_default_set_doit+0x31a/0x890\n ...\n\nSerialize qdisc_reset_all_tx_gt() against the lockless dequeue path by\ntaking qdisc-\u003eseqlock for TCQ_F_NOLOCK qdiscs, matching the\nserialization model already used by dev_reset_queue().\n\nAdditionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state\nreflects an empty queue, avoiding needless re-scheduling.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23340"
},
{
"cve": "CVE-2026-23343",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: produce a warning when calculated tailroom is negative\n\nMany ethernet drivers report xdp Rx queue frag size as being the same as\nDMA write size. However, the only user of this field, namely\nbpf_xdp_frags_increase_tail(), clearly expects a truesize.\n\nSuch difference leads to unspecific memory corruption issues under certain\ncircumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when\nrunning xskxceiver\u0027s XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses\nall DMA-writable space in 2 buffers. This would be fine, if only\nrxq-\u003efrag_size was properly set to 4K, but value of 3K results in a\nnegative tailroom, because there is a non-zero page offset.\n\nWe are supposed to return -EINVAL and be done with it in such case, but due\nto tailroom being stored as an unsigned int, it is reported to be somewhere\nnear UINT_MAX, resulting in a tail being grown, even if the requested\noffset is too much (it is around 2K in the abovementioned test). This later\nleads to all kinds of unspecific calltraces.\n\n[ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6\n[ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4\n[ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000]\n[ 7340.339230] in xskxceiver[42b5,400000+69000]\n[ 7340.340300] likely on CPU 6 (core 0, socket 6)\n[ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 \u003c4c\u003e 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe\n[ 7340.340888] likely on CPU 3 (core 0, socket 3)\n[ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff \u003c8b\u003e 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7\n[ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [#1] SMP NOPTI\n[ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ #21 PREEMPT(lazy)\n[ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n[ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80\n[ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 \u003c8b\u003e 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89\n[ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202\n[ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010\n[ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff\n[ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0\n[ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0\n[ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500\n[ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000\n[ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0\n[ 7340.421237] PKRU: 55555554\n[ 7340.421623] Call Trace:\n[ 7340.421987] \u003cTASK\u003e\n[ 7340.422309] ? softleaf_from_pte+0x77/0xa0\n[ 7340.422855] swap_pte_batch+0xa7/0x290\n[ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270\n[ 7340.424102] zap_pte_range+0x281/0x580\n[ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240\n[ 7340.425177] unmap_page_range+0x24d/0x420\n[ 7340.425714] unmap_vmas+0xa1/0x180\n[ 7340.426185] exit_mmap+0xe1/0x3b0\n[ 7340.426644] __mmput+0x41/0x150\n[ 7340.427098] exit_mm+0xb1/0x110\n[ 7340.427539] do_exit+0x1b2/0x460\n[ 7340.427992] do_group_exit+0x2d/0xc0\n[ 7340.428477] get_signal+0x79d/0x7e0\n[ 7340.428957] arch_do_signal_or_restart+0x34/0x100\n[ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0\n[ 7340.430159] do_syscall_64+0x188/\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23343"
},
{
"cve": "CVE-2026-23351",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase\n\nYiming Qian reports Use-after-free in the pipapo set type:\n Under a large number of expired elements, commit-time GC can run for a very\n long time in a non-preemptible context, triggering soft lockup warnings and\n RCU stall reports (local denial of service).\n\nWe must split GC in an unlink and a reclaim phase.\n\nWe cannot queue elements for freeing until pointers have been swapped.\nExpired elements are still exposed to both the packet path and userspace\ndumpers via the live copy of the data structure.\n\ncall_rcu() does not protect us: dump operations or element lookups starting\nafter call_rcu has fired can still observe the free\u0027d element, unless the\ncommit phase has made enough progress to swap the clone and live pointers\nbefore any new reader has picked up the old version.\n\nThis a similar approach as done recently for the rbtree backend in commit\n35f83a75529a (\"netfilter: nft_set_rbtree: don\u0027t gc elements on insert\").",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23351"
},
{
"cve": "CVE-2026-23359",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stack-out-of-bounds write in devmap\n\nget_upper_ifindexes() iterates over all upper devices and writes their\nindices into an array without checking bounds.\n\nAlso the callers assume that the max number of upper devices is\nMAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,\nbut that assumption is not correct and the number of upper devices could\nbe larger than MAX_NEST_DEV (e.g., many macvlans), causing a\nstack-out-of-bounds write.\n\nAdd a max parameter to get_upper_ifindexes() to avoid the issue.\nWhen there are too many upper devices, return -EOVERFLOW and abort the\nredirect.\n\nTo reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with\nan XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.\nThen send a packet to the device to trigger the XDP redirect path.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23359"
},
{
"cve": "CVE-2026-23365",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kalmia: validate USB endpoints\n\nThe kalmia driver should validate that the device it is probing has the\nproper number and types of USB endpoints it is expecting before it binds\nto it. If a malicious device were to not have the same urbs the driver\nwill crash later on when it blindly accesses these endpoints.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23365"
},
{
"cve": "CVE-2026-23368",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: register phy led_triggers during probe to avoid AB-BA deadlock\n\nThere is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and\nLED_TRIGGER_PHY are enabled:\n\n[ 1362.049207] [\u003c8054e4b8\u003e] led_trigger_register+0x5c/0x1fc \u003c-- Trying to get lock \"triggers_list_lock\" via down_write(\u0026triggers_list_lock);\n[ 1362.054536] [\u003c80662830\u003e] phy_led_triggers_register+0xd0/0x234\n[ 1362.060329] [\u003c8065e200\u003e] phy_attach_direct+0x33c/0x40c\n[ 1362.065489] [\u003c80651fc4\u003e] phylink_fwnode_phy_connect+0x15c/0x23c\n[ 1362.071480] [\u003c8066ee18\u003e] mtk_open+0x7c/0xba0\n[ 1362.075849] [\u003c806d714c\u003e] __dev_open+0x280/0x2b0\n[ 1362.080384] [\u003c806d7668\u003e] __dev_change_flags+0x244/0x24c\n[ 1362.085598] [\u003c806d7698\u003e] dev_change_flags+0x28/0x78\n[ 1362.090528] [\u003c807150e4\u003e] dev_ioctl+0x4c0/0x654 \u003c-- Hold lock \"rtnl_mutex\" by calling rtnl_lock();\n[ 1362.094985] [\u003c80694360\u003e] sock_ioctl+0x2f4/0x4e0\n[ 1362.099567] [\u003c802e9c4c\u003e] sys_ioctl+0x32c/0xd8c\n[ 1362.104022] [\u003c80014504\u003e] syscall_common+0x34/0x58\n\nHere LED_TRIGGER_PHY is registering LED triggers during phy_attach\nwhile holding RTNL and then taking triggers_list_lock.\n\n[ 1362.191101] [\u003c806c2640\u003e] register_netdevice_notifier+0x60/0x168 \u003c-- Trying to get lock \"rtnl_mutex\" via rtnl_lock();\n[ 1362.197073] [\u003c805504ac\u003e] netdev_trig_activate+0x194/0x1e4\n[ 1362.202490] [\u003c8054e28c\u003e] led_trigger_set+0x1d4/0x360 \u003c-- Hold lock \"triggers_list_lock\" by down_read(\u0026triggers_list_lock);\n[ 1362.207511] [\u003c8054eb38\u003e] led_trigger_write+0xd8/0x14c\n[ 1362.212566] [\u003c80381d98\u003e] sysfs_kf_bin_write+0x80/0xbc\n[ 1362.217688] [\u003c8037fcd8\u003e] kernfs_fop_write_iter+0x17c/0x28c\n[ 1362.223174] [\u003c802cbd70\u003e] vfs_write+0x21c/0x3c4\n[ 1362.227712] [\u003c802cc0c4\u003e] ksys_write+0x78/0x12c\n[ 1362.232164] [\u003c80014504\u003e] syscall_common+0x34/0x58\n\nHere LEDS_TRIGGER_NETDEV is being enabled on an LED. It first takes\ntriggers_list_lock and then RTNL. A classical AB-BA deadlock.\n\nphy_led_triggers_registers() does not require the RTNL, it does not\nmake any calls into the network stack which require protection. There\nis also no requirement the PHY has been attached to a MAC, the\ntriggers only make use of phydev state. This allows the call to\nphy_led_triggers_registers() to be placed elsewhere. PHY probe() and\nrelease() don\u0027t hold RTNL, so solving the AB-BA deadlock.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23368"
},
{
"cve": "CVE-2026-23370",
"cwe": {
"id": "CWE-256",
"name": "Plaintext Storage of a Password"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: dell-wmi-sysman: Don\u0027t hex dump plaintext password data\n\nset_new_password() hex dumps the entire buffer, which contains plaintext\npassword data, including current and new passwords. Remove the hex dump\nto avoid leaking credentials.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23370"
},
{
"cve": "CVE-2026-23378",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: Fix metalist update behavior\n\nWhenever an ife action replace changes the metalist, instead of\nreplacing the old data on the metalist, the current ife code is appending\nthe new metadata. Aside from being innapropriate behavior, this may lead\nto an unbounded addition of metadata to the metalist which might cause an\nout of bounds error when running the encode op:\n\n[ 138.423369][ C1] ==================================================================\n[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255\n[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)\n[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 138.425800][ C1] Call Trace:\n[ 138.425804][ C1] \u003cIRQ\u003e\n[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)\n[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))\n[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)\n[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))\n[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))\n[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)\n[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)\n[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)\n[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)\n[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))\n[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)\n[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)\n\nTo solve this issue, fix the replace behavior by adding the metalist to\nthe ife rcu data structure.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23378"
},
{
"cve": "CVE-2026-23379",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: fix divide by zero in the offload path\n\nOffloading ETS requires computing each class\u0027 WRR weight: this is done by\naveraging over the sums of quanta as \u0027q_sum\u0027 and \u0027q_psum\u0027. Using unsigned\nint, the same integer size as the individual DRR quanta, can overflow and\neven cause division by zero, like it happened in the following splat:\n\n Oops: divide error: 0000 [#1] SMP PTI\n CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full)\n Tainted: [E]=UNSIGNED_MODULE\n Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\n Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 \u003c41\u003e f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\n RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\n RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\n RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\n R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\n FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\n Call Trace:\n \u003cTASK\u003e\n ets_qdisc_change+0x870/0xf40 [sch_ets]\n qdisc_create+0x12b/0x540\n tc_modify_qdisc+0x6d7/0xbd0\n rtnetlink_rcv_msg+0x168/0x6b0\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x1d6/0x2b0\n netlink_sendmsg+0x22e/0x470\n ____sys_sendmsg+0x38a/0x3c0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x111/0xf80\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f440b81c77e\n Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 \u003cc9\u003e c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa\n RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e\n RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003\n RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8\n R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980\n \u003c/TASK\u003e\n Modules linked in: sch_ets(E) netdevsim(E)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets]\n Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 \u003c41\u003e f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44\n RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246\n RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660\n RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe\n R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000\n FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0\n Kernel panic - not syncing: Fatal exception\n Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n\nFix this using 64-bit integers for \u0027q_sum\u0027 and \u0027q_psum\u0027.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23379"
},
{
"cve": "CVE-2026-23381",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix nd_tbl NULL dereference when IPv6 is disabled\n\nWhen booting with the \u0027ipv6.disable=1\u0027 parameter, the nd_tbl is never\ninitialized because inet6_init() exits before ndisc_init() is called\nwhich initializes it. Then, if neigh_suppress is enabled and an ICMPv6\nNeighbor Discovery packet reaches the bridge, br_do_suppress_nd() will\ndereference ipv6_stub-\u003end_tbl which is NULL, passing it to\nneigh_lookup(). This causes a kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000268\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n [...]\n RIP: 0010:neigh_lookup+0x16/0xe0\n [...]\n Call Trace:\n \u003cIRQ\u003e\n ? neigh_lookup+0x16/0xe0\n br_do_suppress_nd+0x160/0x290 [bridge]\n br_handle_frame_finish+0x500/0x620 [bridge]\n br_handle_frame+0x353/0x440 [bridge]\n __netif_receive_skb_core.constprop.0+0x298/0x1110\n __netif_receive_skb_one_core+0x3d/0xa0\n process_backlog+0xa0/0x140\n __napi_poll+0x2c/0x170\n net_rx_action+0x2c4/0x3a0\n handle_softirqs+0xd0/0x270\n do_softirq+0x3f/0x60\n\nFix this by replacing IS_ENABLED(IPV6) call with ipv6_mod_enabled() in\nthe callers. This is in essence disabling NS/NA suppression when IPv6 is\ndisabled.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23381"
},
{
"cve": "CVE-2026-23391",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23391"
},
{
"cve": "CVE-2026-23392",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23392"
},
{
"cve": "CVE-2026-23397",
"cwe": {
"id": "CWE-130",
"name": "Improper Handling of Length Parameter Inconsistency"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx-\u003eoptp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind=2) with length \u003c 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"\u003c 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx-\u003eoptsize == foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23397"
},
{
"cve": "CVE-2026-23398",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n \u003cIRQ\u003e\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n \u003c/IRQ\u003e\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23398"
},
{
"cve": "CVE-2026-23414",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(\u0026ctx-\u003easync_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg\u0027s drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23414"
},
{
"cve": "CVE-2026-23422",
"cwe": {
"id": "CWE-392",
"name": "Missing Report of Error Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler\n\nCommit 31a7a0bbeb00 (\"dpaa2-switch: add bounds check for if_id in IRQ\nhandler\") introduces a range check for if_id to avoid an out-of-bounds\naccess. If an out-of-bounds if_id is detected, the interrupt status is\nnot cleared. This may result in an interrupt storm.\n\nClear the interrupt status after detecting an out-of-bounds if_id to avoid\nthe problem.\n\nFound by an experimental AI code review agent at Google.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23422"
},
{
"cve": "CVE-2026-23434",
"cwe": {
"id": "CWE-820",
"name": "Missing Synchronization"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: serialize lock/unlock against other NAND operations\n\nnand_lock() and nand_unlock() call into chip-\u003eops.lock_area/unlock_area\nwithout holding the NAND device lock. On controllers that implement\nSET_FEATURES via multiple low-level PIO commands, these can race with\nconcurrent UBI/UBIFS background erase/write operations that hold the\ndevice lock, resulting in cmd_pending conflicts on the NAND controller.\n\nAdd nand_get_device()/nand_release_device() around the lock/unlock\noperations to serialize them against all other NAND controller access.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23434"
},
{
"cve": "CVE-2026-23438",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv-\u003ecm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv-\u003ecm3_base remains\nNULL and priv-\u003eglobal_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv-\u003eglobal_tx_fc or port-\u003etx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv-\u003eglobal_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23438"
},
{
"cve": "CVE-2026-23439",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n\n\nWhen CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0\n(success) without actually creating a socket. Callers such as\nfou_create() then proceed to dereference the uninitialized socket\npointer, resulting in a NULL pointer dereference.\n\nThe captured NULL deref crash:\n BUG: kernel NULL pointer dereference, address: 0000000000000018\n RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)\n [...]\n Call Trace:\n \u003cTASK\u003e\n genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)\n genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)\n [...]\n netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n genl_rcv (net/netlink/genetlink.c:1219)\n netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\n netlink_sendmsg (net/netlink/af_netlink.c:1894)\n __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))\n __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)\n\nThis patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so\ncallers correctly take their error paths. There is only one caller of\nthe vulnerable function and only privileged users can trigger it.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23439"
},
{
"cve": "CVE-2026-23446",
"cwe": {
"id": "CWE-833",
"name": "Deadlock"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: Do not perform PM inside suspend callback\n\nsyzbot reports \"task hung in rpm_resume\"\n\nThis is caused by aqc111_suspend calling\nthe PM variant of its write_cmd routine.\n\nThe simplified call trace looks like this:\n\nrpm_suspend()\n usb_suspend_both() - here udev-\u003edev.power.runtime_status == RPM_SUSPENDING\n aqc111_suspend() - called for the usb device interface\n aqc111_write32_cmd()\n usb_autopm_get_interface()\n pm_runtime_resume_and_get()\n rpm_resume() - here we call rpm_resume() on our parent\n rpm_resume() - Here we wait for a status change that will never happen.\n\nAt this point we block another task which holds\nrtnl_lock and locks up the whole networking stack.\n\nFix this by replacing the write_cmd calls with their _nopm variants",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23446"
},
{
"cve": "CVE-2026-23449",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: Fix double-free in teql_master_xmit\n\nWhenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should\nbe called using the seq_lock to avoid racing with the datapath. Failure\nto do so may cause crashes like the following:\n\n[ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139)\n[ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318\n[ 238.029749][ T318]\n[ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full)\n[ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 238.029910][ T318] Call Trace:\n[ 238.029913][ T318] \u003cTASK\u003e\n[ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122)\n[ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563)\n[ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139)\n[ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231)\n[ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1))\n[ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139)\n...\n[ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256)\n[ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827)\n[ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n...\n[ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034)\n[ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157)\n[ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077)\n[ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159)\n[ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091)\n[ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556)\n...\n[ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s:\n[ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369)\n[ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921)\n[ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107))\n[ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713)\n[ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763)\n[ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997)\n[ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108)\n[ 238.081469][ T318]\n[ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s:\n[ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58)\n[ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5))\n[ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1))\n[ 238.085900][ T318] __kasan_slab_free (mm/\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23449"
},
{
"cve": "CVE-2026-23450",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()\n\nSyzkaller reported a panic in smc_tcp_syn_recv_sock() [1].\n\nsmc_tcp_syn_recv_sock() is called in the TCP receive path\n(softirq) via icsk_af_ops-\u003esyn_recv_sock on the clcsock (TCP\nlistening socket). It reads sk_user_data to get the smc_sock\npointer. However, when the SMC listen socket is being closed\nconcurrently, smc_close_active() sets clcsock-\u003esk_user_data\nto NULL under sk_callback_lock, and then the smc_sock itself\ncan be freed via sock_put() in smc_release().\n\nThis leads to two issues:\n\n1) NULL pointer dereference: sk_user_data is NULL when\n accessed.\n2) Use-after-free: sk_user_data is read as non-NULL, but the\n smc_sock is freed before its fields (e.g., queued_smc_hs,\n ori_af_ops) are accessed.\n\nThe race window looks like this (the syzkaller crash [1]\ntriggers via the SYN cookie path: tcp_get_cookie_sock() -\u003e\nsmc_tcp_syn_recv_sock(), but the normal tcp_check_req() path\nhas the same race):\n\n CPU A (softirq) CPU B (process ctx)\n\n tcp_v4_rcv()\n TCP_NEW_SYN_RECV:\n sk = req-\u003ersk_listener\n sock_hold(sk)\n /* No lock on listener */\n smc_close_active():\n write_lock_bh(cb_lock)\n sk_user_data = NULL\n write_unlock_bh(cb_lock)\n ...\n smc_clcsock_release()\n sock_put(smc-\u003esk) x2\n -\u003e smc_sock freed!\n tcp_check_req()\n smc_tcp_syn_recv_sock():\n smc = user_data(sk)\n -\u003e NULL or dangling\n smc-\u003equeued_smc_hs\n -\u003e crash!\n\nNote that the clcsock and smc_sock are two independent objects\nwith separate refcounts. TCP stack holds a reference on the\nclcsock, which keeps it alive, but this does NOT prevent the\nsmc_sock from being freed.\n\nFix this by using RCU and refcount_inc_not_zero() to safely\naccess smc_sock. Since smc_tcp_syn_recv_sock() is called in\nthe TCP three-way handshake path, taking read_lock_bh on\nsk_callback_lock is too heavy and would not survive a SYN\nflood attack. Using rcu_read_lock() is much more lightweight.\n\n- Set SOCK_RCU_FREE on the SMC listen socket so that\n smc_sock freeing is deferred until after the RCU grace\n period. This guarantees the memory is still valid when\n accessed inside rcu_read_lock().\n- Use rcu_read_lock() to protect reading sk_user_data.\n- Use refcount_inc_not_zero(\u0026smc-\u003esk.sk_refcnt) to pin the\n smc_sock. If the refcount has already reached zero (close\n path completed), it returns false and we bail out safely.\n\nNote: smc_hs_congested() has a similar lockless read of\nsk_user_data without rcu_read_lock(), but it only checks for\nNULL and accesses the global smc_hs_wq, never dereferencing\nany smc_sock field, so it is not affected.\n\nReproducer was verified with mdelay injection and smc_run,\nthe issue no longer occurs with this patch applied.\n\n[1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23450"
},
{
"cve": "CVE-2026-23452",
"cwe": {
"id": "CWE-364",
"name": "Signal Handler Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: runtime: Fix a race condition related to device removal\n\nThe following code in pm_runtime_work() may dereference the dev-\u003eparent\npointer after the parent device has been freed:\n\n\t/* Maybe the parent is now able to suspend. */\n\tif (parent \u0026\u0026 !parent-\u003epower.ignore_children) {\n\t\tspin_unlock(\u0026dev-\u003epower.lock);\n\n\t\tspin_lock(\u0026parent-\u003epower.lock);\n\t\trpm_idle(parent, RPM_ASYNC);\n\t\tspin_unlock(\u0026parent-\u003epower.lock);\n\n\t\tspin_lock(\u0026dev-\u003epower.lock);\n\t}\n\nFix this by inserting a flush_work() call in pm_runtime_remove().\n\nWithout this patch blktest block/001 triggers the following complaint\nsporadically:\n\nBUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160\nRead of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081\nWorkqueue: pm pm_runtime_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x61/0x80\n print_address_description.constprop.0+0x8b/0x310\n print_report+0xfd/0x1d7\n kasan_report+0xd8/0x1d0\n __kasan_check_byte+0x42/0x60\n lock_acquire.part.0+0x38/0x230\n lock_acquire+0x70/0x160\n _raw_spin_lock+0x36/0x50\n rpm_suspend+0xc6a/0xfe0\n rpm_idle+0x578/0x770\n pm_runtime_work+0xee/0x120\n process_one_work+0xde3/0x1410\n worker_thread+0x5eb/0xfe0\n kthread+0x37b/0x480\n ret_from_fork+0x6cb/0x920\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nAllocated by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_alloc_info+0x3d/0x50\n __kasan_kmalloc+0xa0/0xb0\n __kmalloc_noprof+0x311/0x990\n scsi_alloc_target+0x122/0xb60 [scsi_mod]\n __scsi_scan_target+0x101/0x460 [scsi_mod]\n scsi_scan_channel+0x179/0x1c0 [scsi_mod]\n scsi_scan_host_selected+0x259/0x2d0 [scsi_mod]\n store_scan+0x2d2/0x390 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810\n do_syscall_64+0xee/0xfc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFreed by task 4314:\n kasan_save_stack+0x2a/0x50\n kasan_save_track+0x18/0x40\n kasan_save_free_info+0x3f/0x50\n __kasan_slab_free+0x67/0x80\n kfree+0x225/0x6c0\n scsi_target_dev_release+0x3d/0x60 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_dev_release+0xacf/0x12c0 [scsi_mod]\n device_release+0xa3/0x220\n kobject_cleanup+0x105/0x3a0\n kobject_put+0x72/0xd0\n put_device+0x17/0x20\n scsi_device_put+0x7f/0xc0 [scsi_mod]\n sdev_store_delete+0xa5/0x120 [scsi_mod]\n dev_attr_store+0x43/0x80\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3ef/0x670\n vfs_write+0x506/0x1470\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x213/0x1810",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23452"
},
{
"cve": "CVE-2026-23454",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown\n\nA potential race condition exists in mana_hwc_destroy_channel() where\nhwc-\u003ecaller_ctx is freed before the HWC\u0027s Completion Queue (CQ) and\nEvent Queue (EQ) are destroyed. This allows an in-flight CQ interrupt\nhandler to dereference freed memory, leading to a use-after-free or\nNULL pointer dereference in mana_hwc_handle_resp().\n\nmana_smc_teardown_hwc() signals the hardware to stop but does not\nsynchronize against IRQ handlers already executing on other CPUs. The\nIRQ synchronization only happens in mana_hwc_destroy_cq() via\nmana_gd_destroy_eq() -\u003e mana_gd_deregister_irq(). Since this runs\nafter kfree(hwc-\u003ecaller_ctx), a concurrent mana_hwc_rx_event_handler()\ncan dereference freed caller_ctx (and rxq-\u003emsg_buf) in\nmana_hwc_handle_resp().\n\nFix this by reordering teardown to reverse-of-creation order: destroy\nthe TX/RX work queues and CQ/EQ before freeing hwc-\u003ecaller_ctx. This\nensures all in-flight interrupt handlers complete before the memory they\naccess is freed.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23454"
},
{
"cve": "CVE-2026-23455",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: check for zero length in DecodeQ931()\n\nIn DecodeQ931(), the UserUserIE code path reads a 16-bit length from\nthe packet, then decrements it by 1 to skip the protocol discriminator\nbyte before passing it to DecodeH323_UserInformation(). If the encoded\nlength is 0, the decrement wraps to -1, which is then passed as a\nlarge value to the decoder, leading to an out-of-bounds read.\n\nAdd a check to ensure len is positive after the decrement.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23455"
},
{
"cve": "CVE-2026-23456",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case\n\nIn decode_int(), the CONS case calls get_bits(bs, 2) to read a length\nvalue, then calls get_uint(bs, len) without checking that len bytes\nremain in the buffer. The existing boundary check only validates the\n2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint()\nreads. This allows a malformed H.323/RAS packet to cause a 1-4 byte\nslab-out-of-bounds read.\n\nAdd a boundary check for len bytes after get_bits() and before\nget_uint().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23456"
},
{
"cve": "CVE-2026-23457",
"cwe": {
"id": "CWE-681",
"name": "Incorrect Conversion between Numeric Types"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()\n\nsip_help_tcp() parses the SIP Content-Length header with\nsimple_strtoul(), which returns unsigned long, but stores the result in\nunsigned int clen. On 64-bit systems, values exceeding UINT_MAX are\nsilently truncated before computing the SIP message boundary.\n\nFor example, Content-Length 4294967328 (2^32 + 32) is truncated to 32,\ncausing the parser to miscalculate where the current message ends. The\nloop then treats trailing data in the TCP segment as a second SIP\nmessage and processes it through the SDP parser.\n\nFix this by changing clen to unsigned long to match the return type of\nsimple_strtoul(), and reject Content-Length values that exceed the\nremaining TCP payload length.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23457"
},
{
"cve": "CVE-2026-23458",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()\n\nctnetlink_dump_exp_ct() stores a conntrack pointer in cb-\u003edata for the\nnetlink dump callback ctnetlink_exp_ct_dump_table(), but drops the\nconntrack reference immediately after netlink_dump_start(). When the\ndump spans multiple rounds, the second recvmsg() triggers the dump\ncallback which dereferences the now-freed conntrack via nfct_help(ct),\nleading to a use-after-free on ct-\u003eext.\n\nThe bug is that the netlink_dump_control has no .start or .done\ncallbacks to manage the conntrack reference across dump rounds. Other\ndump functions in the same file (e.g. ctnetlink_get_conntrack) properly\nuse .start/.done callbacks for this purpose.\n\nFix this by adding .start and .done callbacks that hold and release the\nconntrack reference for the duration of the dump, and move the\nnfct_help() call after the cb-\u003eargs[0] early-return check in the dump\ncallback to avoid dereferencing ct-\u003eext unnecessarily.\n\n BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133\n\n CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY\n Call Trace:\n \u003cTASK\u003e\n ctnetlink_exp_ct_dump_table+0x4f/0x2e0\n netlink_dump+0x333/0x880\n netlink_recvmsg+0x3e2/0x4b0\n ? aa_sk_perm+0x184/0x450\n sock_recvmsg+0xde/0xf0\n\n Allocated by task 133:\n kmem_cache_alloc_noprof+0x134/0x440\n __nf_conntrack_alloc+0xa8/0x2b0\n ctnetlink_create_conntrack+0xa1/0x900\n ctnetlink_new_conntrack+0x3cf/0x7d0\n nfnetlink_rcv_msg+0x48e/0x510\n netlink_rcv_skb+0xc9/0x1f0\n nfnetlink_rcv+0xdb/0x220\n netlink_unicast+0x3ec/0x590\n netlink_sendmsg+0x397/0x690\n __sys_sendmsg+0xf4/0x180\n\n Freed by task 0:\n slab_free_after_rcu_debug+0xad/0x1e0\n rcu_core+0x5c3/0x9c0",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23458"
},
{
"cve": "CVE-2026-23463",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there\u0027s a race condition between\nfq_table[fq-\u003eidx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq-\u003eidx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n Thread A Thread B\n qman_destroy_fq() qman_create_fq()\n qman_release_fqid()\n qman_shutdown_fq()\n gen_pool_free()\n -- At this point, the fqid is available again --\n qman_alloc_fqid()\n -- so, we can get the just-freed fqid in thread B --\n fq-\u003efqid = fqid;\n fq-\u003eidx = fqid * 2;\n WARN_ON(fq_table[fq-\u003eidx]);\n fq_table[fq-\u003eidx] = fq;\n fq_table[fq-\u003eidx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq-\u003eidx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq-\u003eidx] is set to NULL before\ngen_pool_free() is called by using smp_wmb().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23463"
},
{
"cve": "CVE-2026-23474",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: Avoid boot crash in RedBoot partition table parser\n\nGiven CONFIG_FORTIFY_SOURCE=y and a recent compiler,\ncommit 439a1bcac648 (\"fortify: Use __builtin_dynamic_object_size() when\navailable\") produces the warning below and an oops.\n\n Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000\n ------------[ cut here ]------------\n WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1\n memcmp: detected buffer overflow: 15 byte read of buffer size 14\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE\n\nAs Kees said, \"\u0027names\u0027 is pointing to the final \u0027namelen\u0027 many bytes\nof the allocation ... \u0027namelen\u0027 could be basically any length at all.\nThis fortify warning looks legit to me -- this code used to be reading\nbeyond the end of the allocation.\"\n\nSince the size of the dynamic allocation is calculated with strlen()\nwe can use strcmp() instead of memcmp() and remain within bounds.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23474"
},
{
"cve": "CVE-2026-23475",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix statistics allocation\n\nThe controller per-cpu statistics is not allocated until after the\ncontroller has been registered with driver core, which leaves a window\nwhere accessing the sysfs attributes can trigger a NULL-pointer\ndereference.\n\nFix this by moving the statistics allocation to controller allocation\nwhile tying its lifetime to that of the controller (rather than using\nimplicit devres).",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-23475"
},
{
"cve": "CVE-2026-27135",
"cwe": {
"id": "CWE-617",
"name": "Reachable Assertion"
},
"notes": [
{
"category": "description",
"text": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-27135"
},
{
"cve": "CVE-2026-31389",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free on controller registration failure\n\nMake sure to deregister from driver core also in the unlikely event that\nper-cpu statistics allocation fails during controller registration to\navoid use-after-free (of driver resources) and unclocked register\naccesses.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31389"
},
{
"cve": "CVE-2026-31391",
"cwe": {
"id": "CWE-911",
"name": "Improper Update of Reference Count"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: atmel-sha204a - Fix OOM -\u003etfm_count leak\n\nIf memory allocation fails, decrement -\u003etfm_count to avoid blocking\nfuture reads.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31391"
},
{
"cve": "CVE-2026-31396",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix use-after-free access to PTP clock\n\nPTP clock is registered on every opening of the interface and destroyed on\nevery closing. However it may be accessed via get_ts_info ethtool call\nwhich is possible while the interface is just present in the kernel.\n\nBUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\nRead of size 4 at addr ffff8880194345cc by task syz.0.6/948\n\nCPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:316 [inline]\n print_report+0x17f/0x496 mm/kasan/report.c:420\n kasan_report+0xd9/0x180 mm/kasan/report.c:524\n ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\n gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349\n macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371\n __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558\n ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]\n __dev_ethtool net/ethtool/ioctl.c:3017 [inline]\n dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095\n dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\n sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\n sock_ioctl+0x577/0x6d0 net/socket.c:1320\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n \u003c/TASK\u003e\n\nAllocated by task 457:\n kmalloc include/linux/slab.h:563 [inline]\n kzalloc include/linux/slab.h:699 [inline]\n ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235\n gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375\n macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920\n __dev_open+0x2ce/0x500 net/core/dev.c:1501\n __dev_change_flags+0x56a/0x740 net/core/dev.c:8651\n dev_change_flags+0x92/0x170 net/core/dev.c:8722\n do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833\n __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608\n rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655\n rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150\n netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x14b/0x180 net/socket.c:730\n __sys_sendto+0x320/0x3b0 net/socket.c:2152\n __do_sys_sendto net/socket.c:2164 [inline]\n __se_sys_sendto net/socket.c:2160 [inline]\n __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160\n do_syscall_x64 arch/x86/entry/common.c:46 [inline]\n do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 938:\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1729 [inline]\n slab_free_freelist_hook mm/slub.c:1755 [inline]\n slab_free mm/slub.c:3687 [inline]\n __kmem_cache_free+0xbc/0x320 mm/slub.c:3700\n device_release+0xa0/0x240 drivers/base/core.c:2507\n kobject_cleanup lib/kobject.c:681 [inline]\n kobject_release lib/kobject.c:712 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0x1cd/0x350 lib/kobject.c:729\n put_device+0x1b/0x30 drivers/base/core.c:3805\n ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391\n gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404\n macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966\n __dev_close_many+0x1b9/0x310 net/core/dev.c:1585\n __dev_close net/core/dev.c:1597 [inline]\n __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649\n dev_change_fl\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31396"
},
{
"cve": "CVE-2026-31402",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31402"
},
{
"cve": "CVE-2026-31403",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd\n\nThe /proc/fs/nfs/exports proc entry is created at module init\nand persists for the module\u0027s lifetime. exports_proc_open()\ncaptures the caller\u0027s current network namespace and stores\nits svc_export_cache in seq-\u003eprivate, but takes no reference\non the namespace. If the namespace is subsequently torn down\n(e.g. container destruction after the opener does setns() to a\ndifferent namespace), nfsd_net_exit() calls nfsd_export_shutdown()\nwhich frees the cache. Subsequent reads on the still-open fd\ndereference the freed cache_detail, walking a freed hash table.\n\nHold a reference on the struct net for the lifetime of the open\nfile descriptor. This prevents nfsd_net_exit() from running --\nand thus prevents nfsd_export_shutdown() from freeing the cache\n-- while any exports fd is open. cache_detail already stores\nits net pointer (cd-\u003enet, set by cache_create_net()), so\nexports_release() can retrieve it without additional per-file\nstorage.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31403"
},
{
"cve": "CVE-2026-31411",
"cwe": {
"id": "CWE-822",
"name": "Untrusted Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: fix crash due to unvalidated vcc pointer in sigd_send()\n\nReproducer available at [1].\n\nThe ATM send path (sendmsg -\u003e vcc_sendmsg -\u003e sigd_send) reads the vcc\npointer from msg-\u003evcc and uses it directly without any validation. This\npointer comes from userspace via sendmsg() and can be arbitrarily forged:\n\n int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);\n ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon\n struct msghdr msg = { .msg_iov = \u0026iov, ... };\n *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer\n sendmsg(fd, \u0026msg, 0); // kernel dereferences 0xdeadbeef\n\nIn normal operation, the kernel sends the vcc pointer to the signaling\ndaemon via sigd_enq() when processing operations like connect(), bind(),\nor listen(). The daemon is expected to return the same pointer when\nresponding. However, a malicious daemon can send arbitrary pointer values.\n\nFix this by introducing find_get_vcc() which validates the pointer by\nsearching through vcc_hash (similar to how sigd_close() iterates over\nall VCCs), and acquires a reference via sock_hold() if found.\n\nSince struct atm_vcc embeds struct sock as its first member, they share\nthe same lifetime. Therefore using sock_hold/sock_put is sufficient to\nkeep the vcc alive while it is being used.\n\nNote that there may be a race with sigd_close() which could mark the vcc\nwith various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.\nHowever, sock_hold() guarantees the memory remains valid, so this race\nonly affects the logical state, not memory safety.\n\n[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31411"
},
{
"cve": "CVE-2026-31414",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: use expect-\u003ehelper\n\nUse expect-\u003ehelper in ctnetlink and /proc to dump the helper name.\nUsing nfct_help() without holding a reference to the master conntrack\nis unsafe.\n\nUse exp-\u003emaster-\u003ehelper in ctnetlink path if userspace does not provide\nan explicit helper when creating an expectation to retain the existing\nbehaviour. The ctnetlink expectation path holds the reference on the\nmaster conntrack and nf_conntrack_expect lock and the nfnetlink glue\npath refers to the master ct that is attached to the skb.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31414"
},
{
"cve": "CVE-2026-31415",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n\u003cquote\u003e\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt-\u003edst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n - Uses `opt-\u003eopt_flen + opt-\u003eopt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n - Calls `ipv6_push_frag_opts()` if `opt-\u003eopt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n - Push size comes from `ipv6_optlen(opt-\u003edst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n - It computes `len = ((hdr-\u003ehdrlen + 1) \u003c\u003c 3);`\n - It checks `CAP_NET_RAW` using `ns_capable(net-\u003euser_ns,\n CAP_NET_RAW)`. (line 922)\n - Then it does:\n - `opt-\u003eopt_flen += len;` (line 927)\n - `opt-\u003edst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` =\u003e `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` =\u003e `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n - `headersize = sizeof(struct ipv6hdr) + (opt ? opt-\u003eopt_flen +\n opt-\u003eopt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n - `if (opt-\u003eopt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n - `skb_push(skb, ipv6_optlen(opt));`\n - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -\u003e `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net-\u003euser_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31415"
},
{
"cve": "CVE-2026-31416",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: account for netlink header size\n\nThis is a followup to an old bug fix: NLMSG_DONE needs to account\nfor the netlink header size, not just the attribute size.\n\nThis can result in a WARN splat + drop of the netlink message,\nbut other than this there are no ill effects.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31416"
},
{
"cve": "CVE-2026-31417",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix overflow when accumulating packets\n\nAdd a check to ensure that `x25_sock.fraglen` does not overflow.\n\nThe `fraglen` also needs to be resetted when purging `fragment_queue` in\n`x25_clear_queues()`.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31417"
},
{
"cve": "CVE-2026-31418",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n-\u003epos in k, but it only drops the\nbucket when both n-\u003epos and k are zero. This misses buckets whose live\nentries have all been removed while n-\u003epos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n-\u003epos are unused and\nrelease it directly instead of shrinking it further.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31418"
},
{
"cve": "CVE-2026-31421",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q-\u003ehandle. Shared blocks leave block-\u003eq NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()\u0027s\nold-method path needs block-\u003eq which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n tc_run (net/core/dev.c:4401)\n __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31421"
},
{
"cve": "CVE-2026-31422",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q-\u003ehandle to derive\na default baseclass. Shared blocks leave block-\u003eq NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block-\u003eq and return -EINVAL\nfor shared blocks. This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n=======================================================================",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31422"
},
{
"cve": "CVE-2026-31423",
"cwe": {
"id": "CWE-369",
"name": "Divide By Zero"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_hfsc: fix divide-by-zero in rtsc_min()\n\nm2sm() converts a u32 slope to a u64 scaled value. For large inputs\n(e.g. m1=4000000000), the result can reach 2^32. rtsc_min() stores\nthe difference of two such u64 values in a u32 variable `dsm` and\nuses it as a divisor. When the difference is exactly 2^32 the\ntruncation yields zero, causing a divide-by-zero oops in the\nconcave-curve intersection path:\n\n Oops: divide error: 0000\n RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)\n Call Trace:\n init_ed (net/sched/sch_hfsc.c:629)\n hfsc_enqueue (net/sched/sch_hfsc.c:1569)\n [...]\n\nWiden `dsm` to u64 and replace do_div() with div64_u64() so the full\ndifference is preserved.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31423"
},
{
"cve": "CVE-2026-31424",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state-\u003ein being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n \u003cTASK\u003e\n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31424"
},
{
"cve": "CVE-2026-31427",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks-\u003esdp_session()\nwith \u0026rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31427"
},
{
"cve": "CVE-2026-31428",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31428"
},
{
"cve": "CVE-2026-31431",
"cwe": {
"id": "CWE-669",
"name": "Incorrect Resource Transfer Between Spheres"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings. Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31431"
},
{
"cve": "CVE-2026-31441",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31441"
},
{
"cve": "CVE-2026-31446",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in update_super_work when racing with umount\n\nCommit b98535d09179 (\"ext4: fix bug_on in start_this_handle during umount\nfilesystem\") moved ext4_unregister_sysfs() before flushing s_sb_upd_work\nto prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups\nreads during unmount. However, this introduced a use-after-free because\nupdate_super_work calls ext4_notify_error_sysfs() -\u003e sysfs_notify() which\naccesses the kobject\u0027s kernfs_node after it has been freed by kobject_del()\nin ext4_unregister_sysfs():\n\n update_super_work ext4_put_super\n ----------------- --------------\n ext4_unregister_sysfs(sb)\n kobject_del(\u0026sbi-\u003es_kobj)\n __kobject_del()\n sysfs_remove_dir()\n kobj-\u003esd = NULL\n sysfs_put(sd)\n kernfs_put() // RCU free\n ext4_notify_error_sysfs(sbi)\n sysfs_notify(\u0026sbi-\u003es_kobj)\n kn = kobj-\u003esd // stale pointer\n kernfs_get(kn) // UAF on freed kernfs_node\n ext4_journal_destroy()\n flush_work(\u0026sbi-\u003es_sb_upd_work)\n\nInstead of reordering the teardown sequence, fix this by making\next4_notify_error_sysfs() detect that sysfs has already been torn down\nby checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call\nin that case. A dedicated mutex (s_error_notify_mutex) serializes\next4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs()\nto prevent TOCTOU races where the kobject could be deleted between the\nstate_in_sysfs check and the sysfs_notify() call.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31446"
},
{
"cve": "CVE-2026-31447",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: reject mount if bigalloc with s_first_data_block != 0\n\nbigalloc with s_first_data_block != 0 is not supported, reject mounting\nit.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31447"
},
{
"cve": "CVE-2026-31448",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n\"inserted\" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we\u0027ve\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I\u0027d just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31448"
},
{
"cve": "CVE-2026-31450",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei-\u003ejinode to concurrent users.\nIt used to set ei-\u003ejinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode-\u003ei_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f \u003c49\u003e 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n\u003cTASK\u003e\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei-\u003ejinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31450"
},
{
"cve": "CVE-2026-31452",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: convert inline data to extents when truncate exceeds inline size\n\nAdd a check in ext4_setattr() to convert files from inline data storage\nto extent-based storage when truncate() grows the file size beyond the\ninline capacity. This prevents the filesystem from entering an\ninconsistent state where the inline data flag is set but the file size\nexceeds what can be stored inline.\n\nWithout this fix, the following sequence causes a kernel BUG_ON():\n\n1. Mount filesystem with inode that has inline flag set and small size\n2. truncate(file, 50MB) - grows size but inline flag remains set\n3. sendfile() attempts to write data\n4. ext4_write_inline_data() hits BUG_ON(write_size \u003e inline_capacity)\n\nThe crash occurs because ext4_write_inline_data() expects inline storage\nto accommodate the write, but the actual inline capacity (~60 bytes for\ni_block + ~96 bytes for xattrs) is far smaller than the file size and\nwrite request.\n\nThe fix checks if the new size from setattr exceeds the inode\u0027s actual\ninline capacity (EXT4_I(inode)-\u003ei_inline_size) and converts the file to\nextent-based storage before proceeding with the size change.\n\nThis addresses the root cause by ensuring the inline data flag and file\nsize remain consistent during truncate operations.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31452"
},
{
"cve": "CVE-2026-31466",
"cwe": {
"id": "CWE-366",
"name": "Race Condition within a Thread"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix folio isn\u0027t locked in softleaf_to_folio()\n\nOn arm64 server, we found folio that get from migration entry isn\u0027t locked\nin softleaf_to_folio(). This issue triggers when mTHP splitting and\nzap_nonpresent_ptes() races, and the root cause is lack of memory barrier\nin softleaf_to_folio(). The race is as follows:\n\n\tCPU0 CPU1\n\ndeferred_split_scan() zap_nonpresent_ptes()\n lock folio\n split_folio()\n unmap_folio()\n change ptes to migration entries\n __split_folio_to_order() softleaf_to_folio()\n set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry))\n smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio))\n prep_compound_page() for tail pages\n\nIn __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages\nare visible before the tail page becomes non-compound. smp_wmb() should\nbe paired with smp_rmb() in softleaf_to_folio(), which is missed. As a\nresult, if zap_nonpresent_ptes() accesses migration entry that stores tail\npfn, softleaf_to_folio() may see the updated compound_head of tail page\nbefore page-\u003eflags.\n\nThis issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio()\nbecause of the race between folio split and zap_nonpresent_ptes()\nleading to a folio incorrectly undergoing modification without a folio\nlock being held.\n\nThis is a BUG_ON() before commit 93976a20345b (\"mm: eliminate further\nswapops predicates\"), which in merged in v6.19-rc1.\n\nTo fix it, add missing smp_rmb() if the softleaf entry is migration entry\nin softleaf_to_folio() and softleaf_to_page().\n\n[tujinjiang@huawei.com: update function name and comments]",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31466"
},
{
"cve": "CVE-2026-31469",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false\n\nA UAF issue occurs when the virtio_net driver is configured with napi_tx=N\nand the device\u0027s IFF_XMIT_DST_RELEASE flag is cleared\n(e.g., during the configuration of tc route filter rules).\n\nWhen IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack\nexpects the driver to hold the reference to skb-\u003edst until the packet\nis fully transmitted and freed. In virtio_net with napi_tx=N,\nskbs may remain in the virtio transmit ring for an extended period.\n\nIf the network namespace is destroyed while these skbs are still pending,\nthe corresponding dst_ops structure has freed. When a subsequent packet\nis transmitted, free_old_xmit() is triggered to clean up old skbs.\nIt then calls dst_release() on the skb associated with the stale dst_entry.\nSince the dst_ops (referenced by the dst_entry) has already been freed,\na UAF kernel paging request occurs.\n\nfix it by adds skb_dst_drop(skb) in start_xmit to explicitly release\nthe dst reference before the skb is queued in virtio_net.\n\nCall Trace:\n Unable to handle kernel paging request at virtual address ffff80007e150000\n CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT\n ...\n percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P)\n dst_release+0xe0/0x110 net/core/dst.c:177\n skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177\n sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255\n dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469\n napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527\n __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net]\n free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net]\n start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net]\n ...\n\nReproduction Steps:\nNETDEV=\"enp3s0\"\n\nconfig_qdisc_route_filter() {\n tc qdisc del dev $NETDEV root\n tc qdisc add dev $NETDEV root handle 1: prio\n tc filter add dev $NETDEV parent 1:0 \\\n\tprotocol ip prio 100 route to 100 flowid 1:1\n ip route add 192.168.1.100/32 dev $NETDEV realm 100\n}\n\ntest_ns() {\n ip netns add testns\n ip link set $NETDEV netns testns\n ip netns exec testns ifconfig $NETDEV 10.0.32.46/24\n ip netns exec testns ping -c 1 10.0.32.1\n ip netns del testns\n}\n\nconfig_qdisc_route_filter\n\ntest_ns\nsleep 2\ntest_ns",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31469"
},
{
"cve": "CVE-2026-31485",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-fsl-lpspi: fix teardown order issue (UAF)\n\nThere is a teardown order issue in the driver. The SPI controller is\nregistered using devm_spi_register_controller(), which delays\nunregistration of the SPI controller until after the fsl_lpspi_remove()\nfunction returns.\n\nAs the fsl_lpspi_remove() function synchronously tears down the DMA\nchannels, a running SPI transfer triggers the following NULL pointer\ndereference due to use after free:\n\n| fsl_lpspi 42550000.spi: I/O Error in DMA RX\n| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[...]\n| Call trace:\n| fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]\n| fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]\n| spi_transfer_one_message+0x49c/0x7c8\n| __spi_pump_transfer_message+0x120/0x420\n| __spi_sync+0x2c4/0x520\n| spi_sync+0x34/0x60\n| spidev_message+0x20c/0x378 [spidev]\n| spidev_ioctl+0x398/0x750 [spidev]\n[...]\n\nSwitch from devm_spi_register_controller() to spi_register_controller() in\nfsl_lpspi_probe() and add the corresponding spi_unregister_controller() in\nfsl_lpspi_remove().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31485"
},
{
"cve": "CVE-2026-31494",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: use the current queue number for stats\n\nThere\u0027s a potential mismatch between the memory reserved for statistics\nand the amount of memory written.\n\ngem_get_sset_count() correctly computes the number of stats based on the\nactive queues, whereas gem_get_ethtool_stats() indiscriminately copies\ndata using the maximum number of queues, and in the case the number of\nactive queues is less than MACB_MAX_QUEUES, this results in a OOB write\nas observed in the KASAN splat.\n\n==================================================================\nBUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78\n [macb]\nWrite of size 760 at addr ffff80008080b000 by task ethtool/1027\n\nCPU: [...]\nTainted: [E]=UNSIGNED_MODULE\nHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025\nCall trace:\n show_stack+0x20/0x38 (C)\n dump_stack_lvl+0x80/0xf8\n print_report+0x384/0x5e0\n kasan_report+0xa0/0xf0\n kasan_check_range+0xe8/0x190\n __asan_memcpy+0x54/0x98\n gem_get_ethtool_stats+0x54/0x78 [macb\n 926c13f3af83b0c6fe64badb21ec87d5e93fcf65]\n dev_ethtool+0x1220/0x38c0\n dev_ioctl+0x4ac/0xca8\n sock_do_ioctl+0x170/0x1d8\n sock_ioctl+0x484/0x5d8\n __arm64_sys_ioctl+0x12c/0x1b8\n invoke_syscall+0xd4/0x258\n el0_svc_common.constprop.0+0xb4/0x240\n do_el0_svc+0x48/0x68\n el0_svc+0x40/0xf8\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1b0/0x1b8\n\nThe buggy address belongs to a 1-page vmalloc region starting at\n 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff00000a333000 pfn:0xa333\nflags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)\nraw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000\nraw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n==================================================================\n\nFix it by making sure the copied size only considers the active number of\nqueues.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31494"
},
{
"cve": "CVE-2026-31495",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: use netlink policy range checks\n\nReplace manual range and mask validations with netlink policy\nannotations in ctnetlink code paths, so that the netlink core rejects\ninvalid values early and can generate extack errors.\n\n- CTA_PROTOINFO_TCP_STATE: reject values \u003e TCP_CONNTRACK_SYN_SENT2 at\n policy level, removing the manual \u003e= TCP_CONNTRACK_MAX check.\n- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values \u003e TCP_MAX_WSCALE\n (14). The normal TCP option parsing path already clamps to this value,\n but the ctnetlink path accepted 0-255, causing undefined behavior when\n used as a u32 shift count.\n- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with\n CTA_FILTER_F_ALL, removing the manual mask checks.\n- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding\n a new mask define grouping all valid expect flags.\n\nExtracted from a broader nf-next patch by Florian Westphal, scoped to\nctnetlink for the fixes tree.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31495"
},
{
"cve": "CVE-2026-31496",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: skip expectations in other netns via proc\n\nSkip expectations that do not reside in this netns.\n\nSimilar to e77e6ff502ea (\"netfilter: conntrack: do not dump other netns\u0027s\nconntrack entries via proc\").",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31496"
},
{
"cve": "CVE-2026-31503",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix wildcard bind conflict check when using hash2\n\nWhen binding a udp_sock to a local address and port, UDP uses\ntwo hashes (udptable-\u003ehash and udptable-\u003ehash2) for collision\ndetection. The current code switches to \"hash2\" when\nhslot-\u003ecount \u003e 10.\n\n\"hash2\" is keyed by local address and local port.\n\"hash\" is keyed by local port only.\n\nThe issue can be shown in the following bind sequence (pseudo code):\n\nbind(fd1, \"[fd00::1]:8888\")\nbind(fd2, \"[fd00::2]:8888\")\nbind(fd3, \"[fd00::3]:8888\")\nbind(fd4, \"[fd00::4]:8888\")\nbind(fd5, \"[fd00::5]:8888\")\nbind(fd6, \"[fd00::6]:8888\")\nbind(fd7, \"[fd00::7]:8888\")\nbind(fd8, \"[fd00::8]:8888\")\nbind(fd9, \"[fd00::9]:8888\")\nbind(fd10, \"[fd00::10]:8888\")\n\n/* Correctly return -EADDRINUSE because \"hash\" is used\n * instead of \"hash2\". udp_lib_lport_inuse() detects the\n * conflict.\n */\nbind(fail_fd, \"[::]:8888\")\n\n/* After one more socket is bound to \"[fd00::11]:8888\",\n * hslot-\u003ecount exceeds 10 and \"hash2\" is used instead.\n */\nbind(fd11, \"[fd00::11]:8888\")\nbind(fail_fd, \"[::]:8888\") /* succeeds unexpectedly */\n\nThe same issue applies to the IPv4 wildcard address \"0.0.0.0\"\nand the IPv4-mapped wildcard address \"::ffff:0.0.0.0\". For\nexample, if there are existing sockets bound to\n\"192.168.1.[1-11]:8888\", then binding \"0.0.0.0:8888\" or\n\"[::ffff:0.0.0.0]:8888\" can also miss the conflict when\nhslot-\u003ecount \u003e 10.\n\nTCP inet_csk_get_port() already has the correct check in\ninet_use_bhash2_on_bind(). Rename it to\ninet_use_hash2_on_bind() and move it to inet_hashtables.h\nso udp.c can reuse it in this fix.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31503"
},
{
"cve": "CVE-2026-31504",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group\u0027s `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po-\u003enum` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po-\u003enum` is still non-zero and `po-\u003eifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f-\u003earr[]` and increments `f-\u003enum_members`,\nbut does NOT increment `f-\u003esk_ref`.\n\nThe fix sets `po-\u003enum` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31504"
},
{
"cve": "CVE-2026-31507",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer\n\nsmc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores\nthe pointer in pipe_buffer.private. The pipe_buf_operations for these\nbuffers used .get = generic_pipe_buf_get, which only increments the page\nreference count when tee(2) duplicates a pipe buffer. The smc_spd_priv\npointer itself was not handled, so after tee() both the original and the\ncloned pipe_buffer share the same smc_spd_priv *.\n\nWhen both pipes are subsequently released, smc_rx_pipe_buf_release() is\ncalled twice against the same object:\n\n 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct]\n 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF]\n\nKASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which\nthen escalates to a NULL-pointer dereference and kernel panic via\nsmc_rx_update_consumer() when it chases the freed priv-\u003esmc pointer:\n\n BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0\n Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x650\n kasan_report+0xc6/0x100\n smc_rx_pipe_buf_release+0x78/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n RIP: 0010:smc_rx_update_consumer+0x8d/0x350\n Call Trace:\n \u003cTASK\u003e\n smc_rx_pipe_buf_release+0x121/0x2a0\n free_pipe_info+0xd4/0x130\n pipe_release+0x142/0x160\n __fput+0x1c6/0x490\n __x64_sys_close+0x4f/0x90\n do_syscall_64+0xa6/0x1a0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception\n\nBeyond the memory-safety problem, duplicating an SMC splice buffer is\nsemantically questionable: smc_rx_update_cons() would advance the\nconsumer cursor twice for the same data, corrupting receive-window\naccounting. A refcount on smc_spd_priv could fix the double-free, but\nthe cursor-accounting issue would still need to be addressed separately.\n\nThe .get callback is invoked by both tee(2) and splice_pipe_to_pipe()\nfor partial transfers; both will now return -EFAULT. Users who need\nto duplicate SMC socket data must use a copy-based read path.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31507"
},
{
"cve": "CVE-2026-31508",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Avoid releasing netdev before teardown completes\n\nThe patch cited in the Fixes tag below changed the teardown code for\nOVS ports to no longer unconditionally take the RTNL. After this change,\nthe netdev_destroy() callback can proceed immediately to the call_rcu()\ninvocation if the IFF_OVS_DATAPATH flag is already cleared on the\nnetdev.\n\nThe ovs_netdev_detach_dev() function clears the flag before completing\nthe unregistration, and if it gets preempted after clearing the flag (as\ncan happen on an -rt kernel), netdev_destroy() can complete and the\ndevice can be freed before the unregistration completes. This leads to a\nsplat like:\n\n[ 998.393867] Oops: general protection fault, probably for non-canonical address 0xff00000001000239: 0000 [#1] SMP PTI\n[ 998.393877] CPU: 42 UID: 0 PID: 55177 Comm: ip Kdump: loaded Not tainted 6.12.0-211.1.1.el10_2.x86_64+rt #1 PREEMPT_RT\n[ 998.393886] Hardware name: Dell Inc. PowerEdge R740/0JMK61, BIOS 2.24.0 03/27/2025\n[ 998.393889] RIP: 0010:dev_set_promiscuity+0x8d/0xa0\n[ 998.393901] Code: 00 00 75 d8 48 8b 53 08 48 83 ba b0 02 00 00 00 75 ca 48 83 c4 08 5b c3 cc cc cc cc 48 83 bf 48 09 00 00 00 75 91 48 8b 47 08 \u003c48\u003e 83 b8 b0 02 00 00 00 74 97 eb 81 0f 1f 80 00 00 00 00 90 90 90\n[ 998.393906] RSP: 0018:ffffce5864a5f6a0 EFLAGS: 00010246\n[ 998.393912] RAX: ff00000000ffff89 RBX: ffff894d0adf5a05 RCX: 0000000000000000\n[ 998.393917] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffff894d0adf5a05\n[ 998.393921] RBP: ffff894d19252000 R08: ffff894d19252000 R09: 0000000000000000\n[ 998.393924] R10: ffff894d19252000 R11: ffff894d192521b8 R12: 0000000000000006\n[ 998.393927] R13: ffffce5864a5f738 R14: 00000000ffffffe2 R15: 0000000000000000\n[ 998.393931] FS: 00007fad61971800(0000) GS:ffff894cc0140000(0000) knlGS:0000000000000000\n[ 998.393936] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 998.393940] CR2: 000055df0a2a6e40 CR3: 000000011c7fe003 CR4: 00000000007726f0\n[ 998.393944] PKRU: 55555554\n[ 998.393946] Call Trace:\n[ 998.393949] \u003cTASK\u003e\n[ 998.393952] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393961] ? show_trace_log_lvl+0x1b0/0x2f0\n[ 998.393975] ? dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394009] ? __die_body.cold+0x8/0x12\n[ 998.394016] ? die_addr+0x3c/0x60\n[ 998.394027] ? exc_general_protection+0x16d/0x390\n[ 998.394042] ? asm_exc_general_protection+0x26/0x30\n[ 998.394058] ? dev_set_promiscuity+0x8d/0xa0\n[ 998.394066] ? ovs_netdev_detach_dev+0x3a/0x80 [openvswitch]\n[ 998.394092] dp_device_event+0x41/0x80 [openvswitch]\n[ 998.394102] notifier_call_chain+0x5a/0xd0\n[ 998.394106] unregister_netdevice_many_notify+0x51b/0xa60\n[ 998.394110] rtnl_dellink+0x169/0x3e0\n[ 998.394121] ? rt_mutex_slowlock.constprop.0+0x95/0xd0\n[ 998.394125] rtnetlink_rcv_msg+0x142/0x3f0\n[ 998.394128] ? avc_has_perm_noaudit+0x69/0xf0\n[ 998.394130] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 998.394132] netlink_rcv_skb+0x50/0x100\n[ 998.394138] netlink_unicast+0x292/0x3f0\n[ 998.394141] netlink_sendmsg+0x21b/0x470\n[ 998.394145] ____sys_sendmsg+0x39d/0x3d0\n[ 998.394149] ___sys_sendmsg+0x9a/0xe0\n[ 998.394156] __sys_sendmsg+0x7a/0xd0\n[ 998.394160] do_syscall_64+0x7f/0x170\n[ 998.394162] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 998.394165] RIP: 0033:0x7fad61bf4724\n[ 998.394188] Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d c5 e9 0c 00 00 74 13 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\n[ 998.394189] RSP: 002b:00007ffd7e2f7cb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 998.394191] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fad61bf4724\n[ 998.394193] RDX: 0000000000000000 RSI: 00007ffd7e2f7d20 RDI: 0000000000000003\n[ 998.394194] RBP: 00007ffd7e2f7d90 R08: 0000000000000010 R09: 000000000000003f\n[ 998.394195] R10: 000055df11558010 R11: 0000000000000202 R12: 00007ffd7e2\n---truncated---",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31508"
},
{
"cve": "CVE-2026-31515",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:\u003cNULL\u003e\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n \u003cTASK\u003e\n skb_over_panic net/core/skbuff.c:219 [inline]\n skb_put+0x159/0x210 net/core/skbuff.c:2655\n skb_put_zero include/linux/skbuff.h:2788 [inline]\n set_ipsecrequest net/key/af_key.c:3532 [inline]\n pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31515"
},
{
"cve": "CVE-2026-31518",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nesp: fix skb leak with espintcp and async crypto\n\nWhen the TX queue for espintcp is full, esp_output_tail_tcp will\nreturn an error and not free the skb, because with synchronous crypto,\nthe common xfrm output code will drop the packet for us.\n\nWith async crypto (esp_output_done), we need to drop the skb when\nesp_output_tail_tcp returns an error.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31518"
},
{
"cve": "CVE-2026-31521",
"cwe": {
"id": "CWE-1285",
"name": "Improper Validation of Specified Index, Position, or Offset in Input"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodule: Fix kernel panic when a symbol st_shndx is out of bounds\n\nThe module loader doesn\u0027t check for bounds of the ELF section index in\nsimplify_symbols():\n\n for (i = 1; i \u003c symsec-\u003esh_size / sizeof(Elf_Sym); i++) {\n\t\tconst char *name = info-\u003estrtab + sym[i].st_name;\n\n\t\tswitch (sym[i].st_shndx) {\n\t\tcase SHN_COMMON:\n\n\t\t[...]\n\n\t\tdefault:\n\t\t\t/* Divert to percpu allocation if a percpu var. */\n\t\t\tif (sym[i].st_shndx == info-\u003eindex.pcpu)\n\t\t\t\tsecbase = (unsigned long)mod_percpu(mod);\n\t\t\telse\n /** HERE --\u003e **/\t\tsecbase = info-\u003esechdrs[sym[i].st_shndx].sh_addr;\n\t\t\tsym[i].st_value += secbase;\n\t\t\tbreak;\n\t\t}\n\t}\n\nA symbol with an out-of-bounds st_shndx value, for example 0xffff\n(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:\n\n BUG: unable to handle page fault for address: ...\n RIP: 0010:simplify_symbols+0x2b2/0x480\n ...\n Kernel panic - not syncing: Fatal exception\n\nThis can happen when module ELF is legitimately using SHN_XINDEX or\nwhen it is corrupted.\n\nAdd a bounds check in simplify_symbols() to validate that st_shndx is\nwithin the valid range before using it.\n\nThis issue was discovered due to a bug in llvm-objcopy, see relevant\ndiscussion for details [1].\n\n[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31521"
},
{
"cve": "CVE-2026-31533",
"cwe": {
"id": "CWE-763",
"name": "Release of Invalid Pointer or Reference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix use-after-free in -EBUSY error path of tls_do_encryption\n\nThe -EBUSY handling in tls_do_encryption(), introduced by commit\n859054147318 (\"net: tls: handle backlogging of crypto requests\"), has\na use-after-free due to double cleanup of encrypt_pending and the\nscatterlist entry.\n\nWhen crypto_aead_encrypt() returns -EBUSY, the request is enqueued to\nthe cryptd backlog and the async callback tls_encrypt_done() will be\ninvoked upon completion. That callback unconditionally restores the\nscatterlist entry (sge-\u003eoffset, sge-\u003elength) and decrements\nctx-\u003eencrypt_pending. However, if tls_encrypt_async_wait() returns an\nerror, the synchronous error path in tls_do_encryption() performs the\nsame cleanup again, double-decrementing encrypt_pending and\ndouble-restoring the scatterlist.\n\nThe double-decrement corrupts the encrypt_pending sentinel (initialized\nto 1), making tls_encrypt_async_wait() permanently skip the wait for\npending async callbacks. A subsequent sendmsg can then free the\ntls_rec via bpf_exec_tx_verdict() while a cryptd callback is still\npending, resulting in a use-after-free when the callback fires on the\nfreed record.\n\nFix this by skipping the synchronous cleanup when the -EBUSY async\nwait returns an error, since the callback has already handled\nencrypt_pending and sge restoration.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31533"
},
{
"cve": "CVE-2026-31546",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL deref in bond_debug_rlb_hash_show\n\nrlb_clear_slave intentionally keeps RLB hash-table entries on\nthe rx_hashtbl_used_head list with slave set to NULL when no\nreplacement slave is available. However, bond_debug_rlb_hash_show\nvisites client_info-\u003eslave without checking if it\u0027s NULL.\n\nOther used-list iterators in bond_alb.c already handle this NULL-slave\nstate safely:\n\n- rlb_update_client returns early on !client_info-\u003eslave\n- rlb_req_update_slave_clients, rlb_clear_slave, and rlb_rebalance\ncompare slave values before visiting\n- lb_req_update_subnet_clients continues if slave is NULL\n\nThe following NULL deref crash can be trigger in\nbond_debug_rlb_hash_show:\n\n[ 1.289791] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.292058] RIP: 0010:bond_debug_rlb_hash_show (drivers/net/bonding/bond_debugfs.c:41)\n[ 1.293101] RSP: 0018:ffffc900004a7d00 EFLAGS: 00010286\n[ 1.293333] RAX: 0000000000000000 RBX: ffff888102b48200 RCX: ffff888102b48204\n[ 1.293631] RDX: ffff888102b48200 RSI: ffffffff839daad5 RDI: ffff888102815078\n[ 1.293924] RBP: ffff888102815078 R08: ffff888102b4820e R09: 0000000000000000\n[ 1.294267] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100f929c0\n[ 1.294564] R13: ffff888100f92a00 R14: 0000000000000001 R15: ffffc900004a7ed8\n[ 1.294864] FS: 0000000001395380(0000) GS:ffff888196e75000(0000) knlGS:0000000000000000\n[ 1.295239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1.295480] CR2: 0000000000000000 CR3: 0000000102adc004 CR4: 0000000000772ef0\n[ 1.295897] Call Trace:\n[ 1.296134] seq_read_iter (fs/seq_file.c:231)\n[ 1.296341] seq_read (fs/seq_file.c:164)\n[ 1.296493] full_proxy_read (fs/debugfs/file.c:378 (discriminator 1))\n[ 1.296658] vfs_read (fs/read_write.c:572)\n[ 1.296981] ksys_read (fs/read_write.c:717)\n[ 1.297132] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n[ 1.297325] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nAdd a NULL check and print \"(none)\" for entries with no assigned slave.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31546"
},
{
"cve": "CVE-2026-31555",
"cwe": {
"id": "CWE-825",
"name": "Expired Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in \u0027exiting\u0027.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n CPU0\t\t\t CPU1\t\t CPU2\n futex_lock_pi(uaddr)\n // acquires the PI futex\n exit()\n futex_cleanup_begin()\n futex_state = EXITING;\n\t\t\t futex_lock_pi(uaddr)\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t // observes EXITING\n\t\t\t\t *exiting = owner; // takes ref\n\t\t\t\t return -EBUSY\n\t\t\t wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct(); // drops ref\n\t\t\t // exiting still points to owner\n\t\t\t goto retry;\n\t\t\t futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31555"
},
{
"cve": "CVE-2026-31563",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Use dev_consume_skb_any() to free TX SKBs\n\nThe napi_consume_skb() function is not intended to be called in an IRQ\ndisabled context. However, after commit 6bc8a5098bf4 (\"net: macb: Fix\ntx_ptr_lock locking\"), the freeing of TX SKBs is performed with IRQs\ndisabled. To resolve the following call trace, use dev_consume_skb_any()\nfor freeing TX SKBs:\n WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15\n Modules linked in:\n CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT\n Hardware name: ZynqMP ZCU102 Rev1.1 (DT)\n pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __local_bh_enable_ip+0x174/0x188\n lr : local_bh_enable+0x24/0x38\n sp : ffff800082b3bb10\n x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0\n x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80\n x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000\n x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001\n x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000\n x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650\n x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258\n x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000\n x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000\n x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc\n Call trace:\n __local_bh_enable_ip+0x174/0x188 (P)\n local_bh_enable+0x24/0x38\n skb_attempt_defer_free+0x190/0x1d8\n napi_consume_skb+0x58/0x108\n macb_tx_poll+0x1a4/0x558\n __napi_poll+0x50/0x198\n net_rx_action+0x1f4/0x3d8\n handle_softirqs+0x16c/0x560\n run_ksoftirqd+0x44/0x80\n smpboot_thread_fn+0x1d8/0x338\n kthread+0x120/0x150\n ret_from_fork+0x10/0x20\n irq event stamp: 29751\n hardirqs last enabled at (29750): [\u003cffff8000813be184\u003e] _raw_spin_unlock_irqrestore+0x44/0x88\n hardirqs last disabled at (29751): [\u003cffff8000813bdf60\u003e] _raw_spin_lock_irqsave+0x38/0x98\n softirqs last enabled at (29150): [\u003cffff8000800f1aec\u003e] handle_softirqs+0x504/0x560\n softirqs last disabled at (29153): [\u003cffff8000800f2fec\u003e] run_ksoftirqd+0x44/0x80",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31563"
},
{
"cve": "CVE-2026-31565",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix deadlock during netdev reset with active connections\n\nResolve deadlock that occurs when user executes netdev reset while RDMA\napplications (e.g., rping) are active. The netdev reset causes ice\ndriver to remove irdma auxiliary driver, triggering device_delete and\nsubsequent client removal. During client removal, uverbs_client waits\nfor QP reference count to reach zero while cma_client holds the final\nreference, creating circular dependency and indefinite wait in iWARP\nmode. Skip QP reference count wait during device reset to prevent\ndeadlock.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31565"
},
{
"cve": "CVE-2026-31628",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU: Fix FPDSS on Zen1\n\nZen1\u0027s hardware divider can leave, under certain circumstances, partial\nresults from previous operations. Those results can be leaked by\nanother, attacker thread.\n\nFix that with a chicken bit.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31628"
},
{
"cve": "CVE-2026-31634",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix reference count leak in rxrpc_server_keyring()\n\nThis patch fixes a reference count leak in rxrpc_server_keyring()\nby checking if rx-\u003esecurities is already set.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31634"
},
{
"cve": "CVE-2026-31649",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31649"
},
{
"cve": "CVE-2026-31651",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: vub300: fix NULL-deref on disconnect\n\nMake sure to deregister the controller before dropping the reference to\nthe driver data on disconnect to avoid NULL-pointer dereferences or\nuse-after-free.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31651"
},
{
"cve": "CVE-2026-31658",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()\n\nWhen dma_map_single() fails in tse_start_xmit(), the function returns\nNETDEV_TX_OK without freeing the skb. Since NETDEV_TX_OK tells the\nstack the packet was consumed, the skb is never freed, leaking memory\non every DMA mapping failure.\n\nAdd dev_kfree_skb_any() before returning to properly free the skb.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31658"
},
{
"cve": "CVE-2026-31664",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: clear trailing padding in build_polexpire()\n\nbuild_expire() clears the trailing padding bytes of struct\nxfrm_user_expire after setting the hard field via memset_after(),\nbut the analogous function build_polexpire() does not do this for\nstruct xfrm_user_polexpire.\n\nThe padding bytes after the __u8 hard field are left\nuninitialized from the heap allocation, and are then sent to\nuserspace via netlink multicast to XFRMNLGRP_EXPIRE listeners,\nleaking kernel heap memory contents.\n\nAdd the missing memset_after() call, matching build_expire().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31664"
},
{
"cve": "CVE-2026-31665",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: fix use-after-free in timeout object destroy\n\nnft_ct_timeout_obj_destroy() frees the timeout object with kfree()\nimmediately after nf_ct_untimeout(), without waiting for an RCU grace\nperiod. Concurrent packet processing on other CPUs may still hold\nRCU-protected references to the timeout object obtained via\nrcu_dereference() in nf_ct_timeout_data().\n\nAdd an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer\nfreeing until after an RCU grace period, matching the approach already\nused in nfnetlink_cttimeout.c.\n\nKASAN report:\n BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0\n Read of size 4 at addr ffff8881035fe19c by task exploit/80\n\n Call Trace:\n nf_conntrack_tcp_packet+0x1381/0x29d0\n nf_conntrack_in+0x612/0x8b0\n nf_hook_slow+0x70/0x100\n __ip_local_out+0x1b2/0x210\n tcp_sendmsg_locked+0x722/0x1580\n __sys_sendto+0x2d8/0x320\n\n Allocated by task 75:\n nft_ct_timeout_obj_init+0xf6/0x290\n nft_obj_init+0x107/0x1b0\n nf_tables_newobj+0x680/0x9c0\n nfnetlink_rcv_batch+0xc29/0xe00\n\n Freed by task 26:\n nft_obj_destroy+0x3f/0xa0\n nf_tables_trans_destroy_work+0x51c/0x5c0\n process_one_work+0x2c4/0x5a0",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31665"
},
{
"cve": "CVE-2026-31669",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP\u0027s mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(\u0026tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31669"
},
{
"cve": "CVE-2026-31670",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rfkill: prevent unlimited numbers of rfkill events from being created\n\nUserspace can create an unlimited number of rfkill events if the system\nis so configured, while not consuming them from the rfkill file\ndescriptor, causing a potential out of memory situation. Prevent this\nfrom bounding the number of pending rfkill events at a \"large\" number\n(i.e. 1000) to prevent abuses like this.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31670"
},
{
"cve": "CVE-2026-31671",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm_user: fix info leak in build_report()\n\nstruct xfrm_user_report is a __u8 proto field followed by a struct\nxfrm_selector which means there is three \"empty\" bytes of padding, but\nthe padding is never zeroed before copying to userspace. Fix that up by\nzeroing the structure before setting individual member variables.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31671"
},
{
"cve": "CVE-2026-31674",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo-\u003eaddrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31674"
},
{
"cve": "CVE-2026-31680",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: flowlabel: defer exclusive option free until RCU teardown\n\n`ip6fl_seq_show()` walks the global flowlabel hash under the seq-file\nRCU read-side lock and prints `fl-\u003eopt-\u003eopt_nflen` when an option block\nis present.\n\nExclusive flowlabels currently free `fl-\u003eopt` as soon as `fl-\u003eusers`\ndrops to zero in `fl_release()`. However, the surrounding\n`struct ip6_flowlabel` remains visible in the global hash table until\nlater garbage collection removes it and `fl_free_rcu()` finally tears it\ndown.\n\nA concurrent `/proc/net/ip6_flowlabel` reader can therefore race that\nearly `kfree()` and dereference freed option state, triggering a crash\nin `ip6fl_seq_show()`.\n\nFix this by keeping `fl-\u003eopt` alive until `fl_free_rcu()`. That matches\nthe lifetime already required for the enclosing flowlabel while readers\ncan still reach it under RCU.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31680"
},
{
"cve": "CVE-2026-31682",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns-\u003eopt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns-\u003eopt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31682"
},
{
"cve": "CVE-2026-31737",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ftgmac100: fix ring allocation unwind on open failure\n\nftgmac100_alloc_rings() allocates rx_skbs, tx_skbs, rxdes, txdes, and\nrx_scratch in stages. On intermediate failures it returned -ENOMEM\ndirectly, leaking resources allocated earlier in the function.\n\nRework the failure path to use staged local unwind labels and free\nallocated resources in reverse order before returning -ENOMEM. This\nmatches common netdev allocation cleanup style.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31737"
},
{
"cve": "CVE-2026-31752",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: validate ND option lengths\n\nbr_nd_send() walks ND options according to option-provided lengths.\nA malformed option can make the parser advance beyond the computed\noption span or use a too-short source LLADDR option payload.\n\nValidate option lengths against the remaining NS option area before\nadvancing, and only read source LLADDR when the option is large enough\nfor an Ethernet address.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31752"
},
{
"cve": "CVE-2026-31761",
"cwe": {
"id": "CWE-367",
"name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050: Move iio_device_register() to correct location\n\niio_device_register() should be at the end of the probe function to\nprevent race conditions.\n\nPlace iio_device_register() at the end of the probe function and place\niio_device_unregister() accordingly.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31761"
},
{
"cve": "CVE-2026-31768",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ti-adc161s626: use DMA-safe memory for spi_read()\n\nAdd a DMA-safe buffer and use it for spi_read() instead of a stack\nmemory. All SPI buffers must be DMA-safe.\n\nSince we only need up to 3 bytes, we just use a u8[] instead of __be16\nand __be32 and change the conversion functions appropriately.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-31768"
},
{
"cve": "CVE-2026-40355",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "description",
"text": "In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-40355"
},
{
"cve": "CVE-2026-41989",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "description",
"text": "Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-41989"
},
{
"cve": "CVE-2026-43011",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix potential double free of skb\n\nWhen alloc_skb fails in x25_queue_rx_frame it calls kfree_skb(skb) at\nline 48 and returns 1 (error).\nThis error propagates back through the call chain:\n\nx25_queue_rx_frame returns 1\n |\n v\nx25_state3_machine receives the return value 1 and takes the else\nbranch at line 278, setting queued=0 and returning 0\n |\n v\nx25_process_rx_frame returns queued=0\n |\n v\nx25_backlog_rcv at line 452 sees queued=0 and calls kfree_skb(skb)\nagain\n\nThis would free the same skb twice. Looking at x25_backlog_rcv:\n\nnet/x25/x25_in.c:x25_backlog_rcv() {\n ...\n queued = x25_process_rx_frame(sk, skb);\n ...\n if (!queued)\n kfree_skb(skb);\n}",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43011"
},
{
"cve": "CVE-2026-43024",
"cwe": {
"id": "CWE-115",
"name": "Misinterpretation of Input"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject immediate NF_QUEUE verdict\n\nnft_queue is always used from userspace nftables to deliver the NF_QUEUE\nverdict. Immediately emitting an NF_QUEUE verdict is never used by the\nuserspace nft tools, so reject immediate NF_QUEUE verdicts.\n\nThe arp family does not provide queue support, but such an immediate\nverdict is still reachable. Globally reject NF_QUEUE immediate verdicts\nto address this issue.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43024"
},
{
"cve": "CVE-2026-43025",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: ignore explicit helper on new expectations\n\nUse the existing master conntrack helper, anything else is not really\nsupported and it just makes validation more complicated, so just ignore\nwhat helper userspace suggests for this expectation.\n\nThis was uncovered when validating CTA_EXPECT_CLASS via different helper\nprovided by userspace than the existing master conntrack helper:\n\n BUG: KASAN: slab-out-of-bounds in nf_ct_expect_related_report+0x2479/0x27c0\n Read of size 4 at addr ffff8880043fe408 by task poc/102\n Call Trace:\n nf_ct_expect_related_report+0x2479/0x27c0\n ctnetlink_create_expect+0x22b/0x3b0\n ctnetlink_new_expect+0x4bd/0x5c0\n nfnetlink_rcv_msg+0x67a/0x950\n netlink_rcv_skb+0x120/0x350\n\nAllowing to read kernel memory bytes off the expectation boundary.\n\nCTA_EXPECT_HELP_NAME is still used to offer the helper name to userspace\nvia netlink dump.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43025"
},
{
"cve": "CVE-2026-43026",
"cwe": {
"id": "CWE-824",
"name": "Access of Uninitialized Pointer"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent\n\nctnetlink_alloc_expect() allocates expectations from a non-zeroing\nslab cache via nf_ct_expect_alloc(). When CTA_EXPECT_NAT is not\npresent in the netlink message, saved_addr and saved_proto are\nnever initialized. Stale data from a previous slab occupant can\nthen be dumped to userspace by ctnetlink_exp_dump_expect(), which\nchecks these fields to decide whether to emit CTA_EXPECT_NAT.\n\nThe safe sibling nf_ct_expect_init(), used by the packet path,\nexplicitly zeroes these fields.\n\nZero saved_addr, saved_proto and dir in the else branch, guarded\nby IS_ENABLED(CONFIG_NF_NAT) since these fields only exist when\nNAT is enabled.\n\nConfirmed by priming the expect slab with NAT-bearing expectations,\nfreeing them, creating a new expectation without CTA_EXPECT_NAT,\nand observing that the ctnetlink dump emits a spurious\nCTA_EXPECT_NAT containing stale data from the prior allocation.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43026"
},
{
"cve": "CVE-2026-43027",
"cwe": {
"id": "CWE-459",
"name": "Incomplete Cleanup"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_helper: pass helper to expect cleanup\n\nnf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy()\nto remove expectations belonging to the helper being unregistered.\nHowever, it passes NULL instead of the helper pointer as the data\nargument, so expect_iter_me() never matches any expectation and all\nof them survive the cleanup.\n\nAfter unregister returns, nfnl_cthelper_del() frees the helper\nobject immediately. Subsequent expectation dumps or packet-driven\ninit_conntrack() calls then dereference the freed exp-\u003ehelper,\ncausing a use-after-free.\n\nPass the actual helper pointer so expectations referencing it are\nproperly destroyed before the helper object is freed.\n\n BUG: KASAN: slab-use-after-free in string+0x38f/0x430\n Read of size 1 at addr ffff888003b14d20 by task poc/103\n Call Trace:\n string+0x38f/0x430\n vsnprintf+0x3cc/0x1170\n seq_printf+0x17a/0x240\n exp_seq_show+0x2e5/0x560\n seq_read_iter+0x419/0x1280\n proc_reg_read+0x1ac/0x270\n vfs_read+0x179/0x930\n ksys_read+0xef/0x1c0\n Freed by task 103:\n The buggy address is located 32 bytes inside of\n freed 192-byte region [ffff888003b14d00, ffff888003b14dc0)",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43027"
},
{
"cve": "CVE-2026-43028",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: ensure names are nul-terminated\n\nReject names that lack a \\0 character before feeding them\nto functions that expect c-strings.\n\nFixes tag is the most recent commit that needs this change.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43028"
},
{
"cve": "CVE-2026-43030",
"cwe": {
"id": "CWE-372",
"name": "Incomplete Internal State Distinction"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix regsafe() for pointers to packet\n\nIn case rold-\u003ereg-\u003erange == BEYOND_PKT_END \u0026\u0026 rcur-\u003ereg-\u003erange == N\nregsafe() may return true which may lead to current state with\nvalid packet range not being explored. Fix the bug.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43030"
},
{
"cve": "CVE-2026-43033",
"cwe": {
"id": "CWE-237",
"name": "Improper Handling of Structural Elements"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption\n\nWhen decrypting data that is not in-place (src != dst), there is\nno need to save the high-order sequence bits in dst as it could\nsimply be re-copied from the source.\n\nHowever, the data to be hashed need to be rearranged accordingly.\n\n\nThanks,",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43033"
},
{
"cve": "CVE-2026-43035",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak\n\nWhen building netlink messages, tc_chain_fill_node() never initializes\nthe tcm_info field of struct tcmsg. Since the allocation is not zeroed,\nkernel heap memory is leaked to userspace through this 4-byte field.\n\nThe fix simply zeroes tcm_info alongside the other fields that are\nalready initialized.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43035"
},
{
"cve": "CVE-2026-43038",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: icmp: clear skb2-\u003ecb[] in ip6_err_gen_icmpv6_unreach()\n\nSashiko AI-review observed:\n\n In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet\n where its cb contains an IPv4 inet_skb_parm. When skb is cloned into skb2\n and passed to icmp6_send(), it uses IP6CB(skb2).\n\n IP6CB interprets the IPv4 inet_skb_parm as an inet6_skb_parm. The cipso\n offset in inet_skb_parm.opt directly overlaps with dsthao in inet6_skb_parm\n at offset 18.\n\n If an attacker sends a forged ICMPv4 error with a CIPSO IP option, dsthao\n would be a non-zero offset. Inside icmp6_send(), mip6_addr_swap() is called\n and uses ipv6_find_tlv(skb, opt-\u003edsthao, IPV6_TLV_HAO).\n\n This would scan the inner, attacker-controlled IPv6 packet starting at that\n offset, potentially returning a fake TLV without checking if the remaining\n packet length can hold the full 18-byte struct ipv6_destopt_hao.\n\n Could mip6_addr_swap() then perform a 16-byte swap that extends past the end\n of the packet data into skb_shared_info?\n\n Should the cb array also be cleared in ip6_err_gen_icmpv6_unreach() and\n ip6ip6_err() to prevent this?\n\nThis patch implements the first suggestion.\n\nI am not sure if ip6ip6_err() needs to be changed.\nA separate patch would be better anyway.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43038"
},
{
"cve": "CVE-2026-43040",
"cwe": {
"id": "CWE-909",
"name": "Missing Initialization of Resource"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak\n\nWhen processing Router Advertisements with user options the kernel\nbuilds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct\nhas three padding fields that are never zeroed and can leak kernel data\n\nThe fix is simple, just zeroes the padding fields.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43040"
},
{
"cve": "CVE-2026-43057",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: correctly handle tunneled traffic on IPV6_CSUM GSO fallback\n\nNETIF_F_IPV6_CSUM only advertises support for checksum offload of\npackets without IPv6 extension headers. Packets with extension\nheaders must fall back onto software checksumming. Since TSO\ndepends on checksum offload, those must revert to GSO.\n\nThe below commit introduces that fallback. It always checks\nnetwork header length. For tunneled packets, the inner header length\nmust be checked instead. Extend the check accordingly.\n\nA special case is tunneled packets without inner IP protocol. Such as\nRFC 6951 SCTP in UDP. Those are not standard IPv6 followed by\ntransport header either, so also must revert to the software GSO path.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43057"
},
{
"cve": "CVE-2026-43284",
"cwe": {
"id": "CWE-123",
"name": "Write-what-where Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data().",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-43284"
},
{
"cve": "CVE-2026-46174",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Prevent improper isolation of shared resources in Zen2\u0027s op cache\n\nMake sure resources are not improperly shared in the op cache and\ncause instruction corruption this way.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-46174"
},
{
"cve": "CVE-2026-46300",
"cwe": {
"id": "CWE-123",
"name": "Write-what-where Condition"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to. If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers. In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data(). If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags. The tailroom copy path does not need the marker because it copies\nbytes into @to\u0027s linear data rather than transferring frag descriptors.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-46300"
},
{
"cve": "CVE-2026-46333",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"notes": [
{
"category": "description",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "mitigation",
"details": "Only build and run applications from trusted sources.",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
},
{
"category": "none_available",
"details": "Currently no fix is available",
"product_ids": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5"
]
}
],
"title": "CVE-2026-46333"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.