Search criteria
23038 vulnerabilities found for linux_kernel by linux
CVE-2022-50424 (GCVE-0-2022-50424)
Vulnerability from nvd – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
Title
wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()
Fixed coverity issue with resource leaks at variable "fw" going out of
scope leaks the storage it points to mt7921_check_offload_capability().
Addresses-Coverity-ID: 1527806 ("Resource leaks")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ead3cffd7510dc635d84cd4ea9dd1974fcb69a35",
"status": "affected",
"version": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb",
"versionType": "git"
},
{
"lessThan": "47180ecf4541146836c5307c1d5526f8ac6a5a6d",
"status": "affected",
"version": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()\n\nFixed coverity issue with resource leaks at variable \"fw\" going out of\nscope leaks the storage it points to mt7921_check_offload_capability().\n\nAddresses-Coverity-ID: 1527806 (\"Resource leaks\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:03.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ead3cffd7510dc635d84cd4ea9dd1974fcb69a35"
},
{
"url": "https://git.kernel.org/stable/c/47180ecf4541146836c5307c1d5526f8ac6a5a6d"
}
],
"title": "wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50424",
"datePublished": "2025-10-01T11:42:03.912Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:03.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50423 (GCVE-0-2022-50423)
Vulnerability from nvd – Published: 2025-10-01 11:41 – Updated: 2025-10-01 11:41
VLAI?
Title
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
There is an use-after-free reported by KASAN:
BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
Read of size 1 at addr ffff888112afc460 by task modprobe/2111
CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
Call Trace:
<TASK>
kasan_report+0xae/0xe0
acpi_ut_remove_reference+0x3b/0x82
acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
acpi_ds_store_object_to_local+0x15d/0x3a0
acpi_ex_store+0x78d/0x7fd
acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
acpi_ps_parse_aml+0x217/0x8d5
...
</TASK>
The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.
Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 133462d35dae95edb944af86b986d4c9dec59bd1
(git)
Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 02f237423c9c6a18e062de2d474f85d5659e4eb9 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < c9125b643fc51b8e662f2f614096ceb45a0adbc3 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < dfdde4d5138bc023897033a5ac653a84e94805be (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 02617006b5a46f2ea55ac61f5693c7afd7bf9276 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 6fde666278f91b85d71545a0ebbf41d8d7af8074 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 01f2c2052ea50fb9a8ce12e4e83aed0267934ef0 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 (git) Affected: b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8 (git) Affected: 7af5504c102a378376101dbd160246b10a814dd0 (git) Affected: e29a15484d7ea949e49ae7fb7e576a575da824a6 (git) Affected: e2ab6731a36966d042a2d4dabd980496cd680f75 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "133462d35dae95edb944af86b986d4c9dec59bd1",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02f237423c9c6a18e062de2d474f85d5659e4eb9",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "c9125b643fc51b8e662f2f614096ceb45a0adbc3",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "dfdde4d5138bc023897033a5ac653a84e94805be",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02617006b5a46f2ea55ac61f5693c7afd7bf9276",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "6fde666278f91b85d71545a0ebbf41d8d7af8074",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "01f2c2052ea50fb9a8ce12e4e83aed0267934ef0",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "470188b09e92d83c5a997f25f0e8fb8cd2bc3469",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"status": "affected",
"version": "b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8",
"versionType": "git"
},
{
"status": "affected",
"version": "7af5504c102a378376101dbd160246b10a814dd0",
"versionType": "git"
},
{
"status": "affected",
"version": "e29a15484d7ea949e49ae7fb7e576a575da824a6",
"versionType": "git"
},
{
"status": "affected",
"version": "e2ab6731a36966d042a2d4dabd980496cd680f75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()\n\nThere is an use-after-free reported by KASAN:\n\n BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82\n Read of size 1 at addr ffff888112afc460 by task modprobe/2111\n CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n Call Trace:\n \u003cTASK\u003e\n kasan_report+0xae/0xe0\n acpi_ut_remove_reference+0x3b/0x82\n acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5\n acpi_ds_store_object_to_local+0x15d/0x3a0\n acpi_ex_store+0x78d/0x7fd\n acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b\n acpi_ps_parse_aml+0x217/0x8d5\n ...\n \u003c/TASK\u003e\n\nThe root cause of the problem is that the acpi_operand_object\nis freed when acpi_ut_walk_package_tree() fails in\nacpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in\nacpi_ut_copy_iobject_to_iobject(). The problem was introduced\nby \"8aa5e56eeb61\" commit, this commit is to fix memory leak in\nacpi_ut_copy_iobject_to_iobject(), repeatedly adding remove\noperation, lead to \"acpi_operand_object\" used after free.\n\nFix it by removing acpi_ut_remove_reference() in\nacpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()\nis called to copy an internal package object into another internal\npackage object, when it fails, the memory of acpi_operand_object\nshould be freed by the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:56.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/133462d35dae95edb944af86b986d4c9dec59bd1"
},
{
"url": "https://git.kernel.org/stable/c/02f237423c9c6a18e062de2d474f85d5659e4eb9"
},
{
"url": "https://git.kernel.org/stable/c/c9125b643fc51b8e662f2f614096ceb45a0adbc3"
},
{
"url": "https://git.kernel.org/stable/c/dfdde4d5138bc023897033a5ac653a84e94805be"
},
{
"url": "https://git.kernel.org/stable/c/02617006b5a46f2ea55ac61f5693c7afd7bf9276"
},
{
"url": "https://git.kernel.org/stable/c/6fde666278f91b85d71545a0ebbf41d8d7af8074"
},
{
"url": "https://git.kernel.org/stable/c/f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6"
},
{
"url": "https://git.kernel.org/stable/c/01f2c2052ea50fb9a8ce12e4e83aed0267934ef0"
},
{
"url": "https://git.kernel.org/stable/c/470188b09e92d83c5a997f25f0e8fb8cd2bc3469"
}
],
"title": "ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50423",
"datePublished": "2025-10-01T11:41:56.083Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:56.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50422 (GCVE-0-2022-50422)
Vulnerability from nvd – Published: 2025-10-01 11:41 – Updated: 2025-10-01 11:41
VLAI?
Title
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
When executing SMP task failed, the smp_execute_task_sg() calls del_timer()
to delete "slow_task->timer". However, if the timer handler
sas_task_internal_timedout() is running, the del_timer() in
smp_execute_task_sg() will not stop it and a UAF will happen. The process
is shown below:
(thread 1) | (thread 2)
smp_execute_task_sg() | sas_task_internal_timedout()
... |
del_timer() |
... | ...
sas_free_task(task) |
kfree(task->slow_task) //FREE|
| task->slow_task->... //USE
Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure
the timer handler have finished before the "task->slow_task" is
deallocated.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2908d778ab3e244900c310974e1fc1c69066e450 , < 117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe
(git)
Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < a9e5176ead6de64f572ad5c87a72825d9d3c82ae (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < e45a1516d2933703a4823d9db71e17c3abeba24f (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < f7a785177611ffc97d645fcbc196e6de6ad2421d (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 2e12ce270f0d926085c1209cc90397e307deef97 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 46ba53c30666717cb06c2b3c5d896301cd00d0c0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libsas/sas_expander.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a9e5176ead6de64f572ad5c87a72825d9d3c82ae",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e45a1516d2933703a4823d9db71e17c3abeba24f",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f7a785177611ffc97d645fcbc196e6de6ad2421d",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "2e12ce270f0d926085c1209cc90397e307deef97",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "46ba53c30666717cb06c2b3c5d896301cd00d0c0",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libsas/sas_expander.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libsas: Fix use-after-free bug in smp_execute_task_sg()\n\nWhen executing SMP task failed, the smp_execute_task_sg() calls del_timer()\nto delete \"slow_task-\u003etimer\". However, if the timer handler\nsas_task_internal_timedout() is running, the del_timer() in\nsmp_execute_task_sg() will not stop it and a UAF will happen. The process\nis shown below:\n\n (thread 1) | (thread 2)\nsmp_execute_task_sg() | sas_task_internal_timedout()\n ... |\n del_timer() |\n ... | ...\n sas_free_task(task) |\n kfree(task-\u003eslow_task) //FREE|\n | task-\u003eslow_task-\u003e... //USE\n\nFix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure\nthe timer handler have finished before the \"task-\u003eslow_task\" is\ndeallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:55.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe"
},
{
"url": "https://git.kernel.org/stable/c/a9e5176ead6de64f572ad5c87a72825d9d3c82ae"
},
{
"url": "https://git.kernel.org/stable/c/e45a1516d2933703a4823d9db71e17c3abeba24f"
},
{
"url": "https://git.kernel.org/stable/c/f7a785177611ffc97d645fcbc196e6de6ad2421d"
},
{
"url": "https://git.kernel.org/stable/c/2e12ce270f0d926085c1209cc90397e307deef97"
},
{
"url": "https://git.kernel.org/stable/c/46ba53c30666717cb06c2b3c5d896301cd00d0c0"
}
],
"title": "scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50422",
"datePublished": "2025-10-01T11:41:55.147Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:55.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50421 (GCVE-0-2022-50421)
Vulnerability from nvd – Published: 2025-10-01 11:41 – Updated: 2025-10-01 11:41
VLAI?
Title
rpmsg: char: Avoid double destroy of default endpoint
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpmsg: char: Avoid double destroy of default endpoint
The rpmsg_dev_remove() in rpmsg_core is the place for releasing
this default endpoint.
So need to avoid destroying the default endpoint in
rpmsg_chrdev_eptdev_destroy(), this should be the same as
rpmsg_eptdev_release(). Otherwise there will be double destroy
issue that ept->refcount report warning:
refcount_t: underflow; use-after-free.
Call trace:
refcount_warn_saturate+0xf8/0x150
virtio_rpmsg_destroy_ept+0xd4/0xec
rpmsg_dev_remove+0x60/0x70
The issue can be reproduced by stopping remoteproc before
closing the /dev/rpmsgX.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bea9b79c2d10fecf7bfa26e212ecefe61d232e39 , < ef828a39d6a7028836eaf37df3ad568c8c2dd6f9
(git)
Affected: bea9b79c2d10fecf7bfa26e212ecefe61d232e39 , < 3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb (git) Affected: bea9b79c2d10fecf7bfa26e212ecefe61d232e39 , < 467233a4ac29b215d492843d067a9f091e6bf0c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/rpmsg_char.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef828a39d6a7028836eaf37df3ad568c8c2dd6f9",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
},
{
"lessThan": "3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
},
{
"lessThan": "467233a4ac29b215d492843d067a9f091e6bf0c5",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/rpmsg_char.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Avoid double destroy of default endpoint\n\nThe rpmsg_dev_remove() in rpmsg_core is the place for releasing\nthis default endpoint.\n\nSo need to avoid destroying the default endpoint in\nrpmsg_chrdev_eptdev_destroy(), this should be the same as\nrpmsg_eptdev_release(). Otherwise there will be double destroy\nissue that ept-\u003erefcount report warning:\n\nrefcount_t: underflow; use-after-free.\n\nCall trace:\n refcount_warn_saturate+0xf8/0x150\n virtio_rpmsg_destroy_ept+0xd4/0xec\n rpmsg_dev_remove+0x60/0x70\n\nThe issue can be reproduced by stopping remoteproc before\nclosing the /dev/rpmsgX."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:54.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef828a39d6a7028836eaf37df3ad568c8c2dd6f9"
},
{
"url": "https://git.kernel.org/stable/c/3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb"
},
{
"url": "https://git.kernel.org/stable/c/467233a4ac29b215d492843d067a9f091e6bf0c5"
}
],
"title": "rpmsg: char: Avoid double destroy of default endpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50421",
"datePublished": "2025-10-01T11:41:54.351Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:54.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50420 (GCVE-0-2022-50420)
Vulnerability from nvd – Published: 2025-10-01 11:41 – Updated: 2025-10-02 07:04
VLAI?
Title
crypto: hisilicon/hpre - fix resource leak in remove process
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/hpre - fix resource leak in remove process
In hpre_remove(), when the disable operation of qm sriov failed,
the following logic should continue to be executed to release the
remaining resources that have been allocated, instead of returning
directly, otherwise there will be resource leakage.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < 2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f
(git)
Affected: c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < 4e0de941d252d4e7c985981e78480c8d6f020b64 (git) Affected: c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < cb873c93a7ad27681920bf062ef052fca1e8d5b1 (git) Affected: c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < 45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/hpre/hpre_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "4e0de941d252d4e7c985981e78480c8d6f020b64",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "cb873c93a7ad27681920bf062ef052fca1e8d5b1",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/hpre/hpre_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/hpre - fix resource leak in remove process\n\nIn hpre_remove(), when the disable operation of qm sriov failed,\nthe following logic should continue to be executed to release the\nremaining resources that have been allocated, instead of returning\ndirectly, otherwise there will be resource leakage."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:14.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f"
},
{
"url": "https://git.kernel.org/stable/c/4e0de941d252d4e7c985981e78480c8d6f020b64"
},
{
"url": "https://git.kernel.org/stable/c/cb873c93a7ad27681920bf062ef052fca1e8d5b1"
},
{
"url": "https://git.kernel.org/stable/c/45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c"
}
],
"title": "crypto: hisilicon/hpre - fix resource leak in remove process",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50420",
"datePublished": "2025-10-01T11:41:53.287Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-02T07:04:14.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4460 (GCVE-0-2021-4460)
Vulnerability from nvd – Published: 2025-10-01 11:45 – Updated: 2025-12-20 08:50
VLAI?
Title
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up
doing a shift operation where the number of bits shifted equals
number of bits in the operand. This behaviour is undefined.
Set num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the
count is >= number of bits in the operand.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a488a7ad71401169cecee75dc94bcce642e2c53 , < 0c0356ef2498c1a250fe3846f30293f828737309
(git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 1874b0ef1426b873de94c61861e38f29a8df714c (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 3fdc5182700910a685d23df57d65166e8556a266 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 9069b1b542de8f3bbffef868aff41521b21485cf (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 50e2fc36e72d4ad672032ebf646cecb48656efe0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c0356ef2498c1a250fe3846f30293f828737309",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "1874b0ef1426b873de94c61861e38f29a8df714c",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "3fdc5182700910a685d23df57d65166e8556a266",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "9069b1b542de8f3bbffef868aff41521b21485cf",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "50e2fc36e72d4ad672032ebf646cecb48656efe0",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.118",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.36",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.20",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.3",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix UBSAN shift-out-of-bounds warning\n\nIf get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up\ndoing a shift operation where the number of bits shifted equals\nnumber of bits in the operand. This behaviour is undefined.\n\nSet num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the\ncount is \u003e= number of bits in the operand.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:50:43.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c0356ef2498c1a250fe3846f30293f828737309"
},
{
"url": "https://git.kernel.org/stable/c/1874b0ef1426b873de94c61861e38f29a8df714c"
},
{
"url": "https://git.kernel.org/stable/c/3fdc5182700910a685d23df57d65166e8556a266"
},
{
"url": "https://git.kernel.org/stable/c/9069b1b542de8f3bbffef868aff41521b21485cf"
},
{
"url": "https://git.kernel.org/stable/c/50e2fc36e72d4ad672032ebf646cecb48656efe0"
}
],
"title": "drm/amdkfd: Fix UBSAN shift-out-of-bounds warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4460",
"datePublished": "2025-10-01T11:45:19.050Z",
"dateReserved": "2025-10-01T11:38:13.842Z",
"dateUpdated": "2025-12-20T08:50:43.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39928 (GCVE-0-2025-39928)
Vulnerability from nvd – Published: 2025-10-01 08:07 – Updated: 2025-10-01 08:07
VLAI?
Title
i2c: rtl9300: ensure data length is within supported range
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: rtl9300: ensure data length is within supported range
Add an explicit check for the xfer length to 'rtl9300_i2c_config_xfer'
to ensure the data length isn't within the supported range. In
particular a data length of 0 is not supported by the hardware and
causes unintended or destructive behaviour.
This limitation becomes obvious when looking at the register
documentation [1]. 4 bits are reserved for DATA_WIDTH and the value
of these 4 bits is used as N + 1, allowing a data length range of
1 <= len <= 16.
Affected by this is the SMBus Quick Operation which works with a data
length of 0. Passing 0 as the length causes an underflow of the value
due to:
(len - 1) & 0xf
and effectively specifying a transfer length of 16 via the registers.
This causes a 16-byte write operation instead of a Quick Write. For
example, on SFP modules without write-protected EEPROM this soft-bricks
them by overwriting some initial bytes.
For completeness, also add a quirk for the zero length.
[1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-rtl9300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c91382328fc89f73144d5582f2d8f1dd3e41c8f7",
"status": "affected",
"version": "c366be720235301fdadf67e6f1ea6ff32669c074",
"versionType": "git"
},
{
"lessThan": "06418cb5a1a542a003fdb4ad8e76ea542d57cfba",
"status": "affected",
"version": "c366be720235301fdadf67e6f1ea6ff32669c074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-rtl9300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: rtl9300: ensure data length is within supported range\n\nAdd an explicit check for the xfer length to \u0027rtl9300_i2c_config_xfer\u0027\nto ensure the data length isn\u0027t within the supported range. In\nparticular a data length of 0 is not supported by the hardware and\ncauses unintended or destructive behaviour.\n\nThis limitation becomes obvious when looking at the register\ndocumentation [1]. 4 bits are reserved for DATA_WIDTH and the value\nof these 4 bits is used as N + 1, allowing a data length range of\n1 \u003c= len \u003c= 16.\n\nAffected by this is the SMBus Quick Operation which works with a data\nlength of 0. Passing 0 as the length causes an underflow of the value\ndue to:\n\n(len - 1) \u0026 0xf\n\nand effectively specifying a transfer length of 16 via the registers.\nThis causes a 16-byte write operation instead of a Quick Write. For\nexample, on SFP modules without write-protected EEPROM this soft-bricks\nthem by overwriting some initial bytes.\n\nFor completeness, also add a quirk for the zero length.\n\n[1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:15.530Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c91382328fc89f73144d5582f2d8f1dd3e41c8f7"
},
{
"url": "https://git.kernel.org/stable/c/06418cb5a1a542a003fdb4ad8e76ea542d57cfba"
}
],
"title": "i2c: rtl9300: ensure data length is within supported range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39928",
"datePublished": "2025-10-01T08:07:15.530Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:15.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39927 (GCVE-0-2025-39927)
Vulnerability from nvd – Published: 2025-10-01 08:07 – Updated: 2025-10-02 07:04
VLAI?
Title
ceph: fix race condition validating r_parent before applying state
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix race condition validating r_parent before applying state
Add validation to ensure the cached parent directory inode matches the
directory info in MDS replies. This prevents client-side race conditions
where concurrent operations (e.g. rename) cause r_parent to become stale
between request initiation and reply processing, which could lead to
applying state changes to incorrect directory inodes.
[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to
move CEPH_CAP_PIN reference when r_parent is updated:
When the parent directory lock is not held, req->r_parent can become
stale and is updated to point to the correct inode. However, the
associated CEPH_CAP_PIN reference was not being adjusted. The
CEPH_CAP_PIN is a reference on an inode that is tracked for
accounting purposes. Moving this pin is important to keep the
accounting balanced. When the pin was not moved from the old parent
to the new one, it created two problems: The reference on the old,
stale parent was never released, causing a reference leak.
A reference for the new parent was never acquired, creating the risk
of a reference underflow later in ceph_mdsc_release_request(). This
patch corrects the logic by releasing the pin from the old parent and
acquiring it for the new parent when r_parent is switched. This
ensures reference accounting stays balanced. ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9030aaf9bf0a1eee47a154c316c789e959638b0f , < db378e6f83ec705c6091c65d482d555edc2b0a72
(git)
Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 2bfe45987eb346e299d9f763f9cd05f77011519f (git) Affected: 9030aaf9bf0a1eee47a154c316c789e959638b0f , < 15f519e9f883b316d86e2bb6b767a023aafd9d83 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/debugfs.c",
"fs/ceph/dir.c",
"fs/ceph/file.c",
"fs/ceph/inode.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db378e6f83ec705c6091c65d482d555edc2b0a72",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "2bfe45987eb346e299d9f763f9cd05f77011519f",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "15f519e9f883b316d86e2bb6b767a023aafd9d83",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/debugfs.c",
"fs/ceph/dir.c",
"fs/ceph/file.c",
"fs/ceph/inode.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix race condition validating r_parent before applying state\n\nAdd validation to ensure the cached parent directory inode matches the\ndirectory info in MDS replies. This prevents client-side race conditions\nwhere concurrent operations (e.g. rename) cause r_parent to become stale\nbetween request initiation and reply processing, which could lead to\napplying state changes to incorrect directory inodes.\n\n[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to\n move CEPH_CAP_PIN reference when r_parent is updated:\n\n When the parent directory lock is not held, req-\u003er_parent can become\n stale and is updated to point to the correct inode. However, the\n associated CEPH_CAP_PIN reference was not being adjusted. The\n CEPH_CAP_PIN is a reference on an inode that is tracked for\n accounting purposes. Moving this pin is important to keep the\n accounting balanced. When the pin was not moved from the old parent\n to the new one, it created two problems: The reference on the old,\n stale parent was never released, causing a reference leak.\n A reference for the new parent was never acquired, creating the risk\n of a reference underflow later in ceph_mdsc_release_request(). This\n patch corrects the logic by releasing the pin from the old parent and\n acquiring it for the new parent when r_parent is switched. This\n ensures reference accounting stays balanced. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:31.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db378e6f83ec705c6091c65d482d555edc2b0a72"
},
{
"url": "https://git.kernel.org/stable/c/2bfe45987eb346e299d9f763f9cd05f77011519f"
},
{
"url": "https://git.kernel.org/stable/c/15f519e9f883b316d86e2bb6b767a023aafd9d83"
}
],
"title": "ceph: fix race condition validating r_parent before applying state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39927",
"datePublished": "2025-10-01T08:07:14.595Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-02T07:04:31.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39926 (GCVE-0-2025-39926)
Vulnerability from nvd – Published: 2025-10-01 08:07 – Updated: 2025-10-01 08:07
VLAI?
Title
genetlink: fix genl_bind() invoking bind() after -EPERM
Summary
In the Linux kernel, the following vulnerability has been resolved:
genetlink: fix genl_bind() invoking bind() after -EPERM
Per family bind/unbind callbacks were introduced to allow families
to track multicast group consumer presence, e.g. to start or stop
producing events depending on listeners.
However, in genl_bind() the bind() callback was invoked even if
capability checks failed and ret was set to -EPERM. This means that
callbacks could run on behalf of unauthorized callers while the
syscall still returned failure to user space.
Fix this by only invoking bind() after "if (ret) break;" check
i.e. after permission checks have succeeded.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3de21a8990d3c2cc507e9cc4ed00f36358d5b93e , < 98c9d884047a3051c203708914a874dece3cbe54
(git)
Affected: 3de21a8990d3c2cc507e9cc4ed00f36358d5b93e , < 8858c1e9405906c09589d7c336f04058ea198207 (git) Affected: 3de21a8990d3c2cc507e9cc4ed00f36358d5b93e , < 1dbfb0363224f6da56f6655d596dc5097308d6f5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/genetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98c9d884047a3051c203708914a874dece3cbe54",
"status": "affected",
"version": "3de21a8990d3c2cc507e9cc4ed00f36358d5b93e",
"versionType": "git"
},
{
"lessThan": "8858c1e9405906c09589d7c336f04058ea198207",
"status": "affected",
"version": "3de21a8990d3c2cc507e9cc4ed00f36358d5b93e",
"versionType": "git"
},
{
"lessThan": "1dbfb0363224f6da56f6655d596dc5097308d6f5",
"status": "affected",
"version": "3de21a8990d3c2cc507e9cc4ed00f36358d5b93e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/genetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenetlink: fix genl_bind() invoking bind() after -EPERM\n\nPer family bind/unbind callbacks were introduced to allow families\nto track multicast group consumer presence, e.g. to start or stop\nproducing events depending on listeners.\n\nHowever, in genl_bind() the bind() callback was invoked even if\ncapability checks failed and ret was set to -EPERM. This means that\ncallbacks could run on behalf of unauthorized callers while the\nsyscall still returned failure to user space.\n\nFix this by only invoking bind() after \"if (ret) break;\" check\ni.e. after permission checks have succeeded."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:13.883Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98c9d884047a3051c203708914a874dece3cbe54"
},
{
"url": "https://git.kernel.org/stable/c/8858c1e9405906c09589d7c336f04058ea198207"
},
{
"url": "https://git.kernel.org/stable/c/1dbfb0363224f6da56f6655d596dc5097308d6f5"
}
],
"title": "genetlink: fix genl_bind() invoking bind() after -EPERM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39926",
"datePublished": "2025-10-01T08:07:13.883Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:13.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39925 (GCVE-0-2025-39925)
Vulnerability from nvd – Published: 2025-10-01 08:07 – Updated: 2025-10-01 08:07
VLAI?
Title
can: j1939: implement NETDEV_UNREGISTER notification handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: implement NETDEV_UNREGISTER notification handler
syzbot is reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
problem, for j1939 protocol did not have NETDEV_UNREGISTER notification
handler for undoing changes made by j1939_sk_bind().
Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But we need to call
j1939_priv_put() against an extra ref held by j1939_sk_bind() call
(as a part of undoing changes made by j1939_sk_bind()) as soon as
NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()
is called via j1939_sk_release()). Otherwise, the extra ref on "struct
j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from
dropping the usage count to 1; making it impossible for
unregister_netdevice() to continue.
[mkl: remove space in front of label]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da9e8f429139928570407e8f90559b5d46c20262",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: implement NETDEV_UNREGISTER notification handler\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\nproblem, for j1939 protocol did not have NETDEV_UNREGISTER notification\nhandler for undoing changes made by j1939_sk_bind().\n\nCommit 25fe97cb7620 (\"can: j1939: move j1939_priv_put() into sk_destruct\ncallback\") expects that a call to j1939_priv_put() can be unconditionally\ndelayed until j1939_sk_sock_destruct() is called. But we need to call\nj1939_priv_put() against an extra ref held by j1939_sk_bind() call\n(as a part of undoing changes made by j1939_sk_bind()) as soon as\nNETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()\nis called via j1939_sk_release()). Otherwise, the extra ref on \"struct\nj1939_priv\" held by j1939_sk_bind() call prevents \"struct net_device\" from\ndropping the usage count to 1; making it impossible for\nunregister_netdevice() to continue.\n\n[mkl: remove space in front of label]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:13.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da9e8f429139928570407e8f90559b5d46c20262"
},
{
"url": "https://git.kernel.org/stable/c/7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a"
}
],
"title": "can: j1939: implement NETDEV_UNREGISTER notification handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39925",
"datePublished": "2025-10-01T08:07:13.123Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:13.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39924 (GCVE-0-2025-39924)
Vulnerability from nvd – Published: 2025-10-01 08:07 – Updated: 2025-10-01 08:07
VLAI?
Title
erofs: fix invalid algorithm for encoded extents
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix invalid algorithm for encoded extents
The current algorithm sanity checks do not properly apply to new
encoded extents.
Unify the algorithm check with Z_EROFS_COMPRESSION(_RUNTIME)_MAX
and ensure consistency with sbi->available_compr_algs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db5d7abd379a8dcf030be8f52f99cadf7e397ba8",
"status": "affected",
"version": "1d191b4ca51d73699cb127386b95ac152af2b930",
"versionType": "git"
},
{
"lessThan": "131897c65e2b86cf14bec7379f44aa8fbb407526",
"status": "affected",
"version": "1d191b4ca51d73699cb127386b95ac152af2b930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix invalid algorithm for encoded extents\n\nThe current algorithm sanity checks do not properly apply to new\nencoded extents.\n\nUnify the algorithm check with Z_EROFS_COMPRESSION(_RUNTIME)_MAX\nand ensure consistency with sbi-\u003eavailable_compr_algs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:12.300Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db5d7abd379a8dcf030be8f52f99cadf7e397ba8"
},
{
"url": "https://git.kernel.org/stable/c/131897c65e2b86cf14bec7379f44aa8fbb407526"
}
],
"title": "erofs: fix invalid algorithm for encoded extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39924",
"datePublished": "2025-10-01T08:07:12.300Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:12.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39922 (GCVE-0-2025-39922)
Vulnerability from nvd – Published: 2025-10-01 07:55 – Updated: 2025-10-01 07:55
VLAI?
Title
ixgbe: fix incorrect map used in eee linkmode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbe: fix incorrect map used in eee linkmode
incorrectly used ixgbe_lp_map in loops intended to populate the
supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.
This results in incorrect bit setting and potential out-of-bounds
access, since ixgbe_lp_map and ixgbe_ls_map have different sizes
and purposes.
ixgbe_lp_map[i] -> ixgbe_ls_map[i]
Use ixgbe_ls_map for supported and advertised linkmodes, and keep
ixgbe_lp_map usage only for link partner (lp_advertised) mapping.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9356b6db9d051e9d939dd0f9ae7a0514103ef228 , < 682105ab63826fb7ca7c112b42b478d156fbb19f
(git)
Affected: 9356b6db9d051e9d939dd0f9ae7a0514103ef228 , < 129c1cb8a081a02d99267cb51708f1326395f4e8 (git) Affected: 9356b6db9d051e9d939dd0f9ae7a0514103ef228 , < b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "682105ab63826fb7ca7c112b42b478d156fbb19f",
"status": "affected",
"version": "9356b6db9d051e9d939dd0f9ae7a0514103ef228",
"versionType": "git"
},
{
"lessThan": "129c1cb8a081a02d99267cb51708f1326395f4e8",
"status": "affected",
"version": "9356b6db9d051e9d939dd0f9ae7a0514103ef228",
"versionType": "git"
},
{
"lessThan": "b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4",
"status": "affected",
"version": "9356b6db9d051e9d939dd0f9ae7a0514103ef228",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix incorrect map used in eee linkmode\n\nincorrectly used ixgbe_lp_map in loops intended to populate the\nsupported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.\nThis results in incorrect bit setting and potential out-of-bounds\naccess, since ixgbe_lp_map and ixgbe_ls_map have different sizes\nand purposes.\n\nixgbe_lp_map[i] -\u003e ixgbe_ls_map[i]\n\nUse ixgbe_ls_map for supported and advertised linkmodes, and keep\nixgbe_lp_map usage only for link partner (lp_advertised) mapping."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:17.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/682105ab63826fb7ca7c112b42b478d156fbb19f"
},
{
"url": "https://git.kernel.org/stable/c/129c1cb8a081a02d99267cb51708f1326395f4e8"
},
{
"url": "https://git.kernel.org/stable/c/b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4"
}
],
"title": "ixgbe: fix incorrect map used in eee linkmode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39922",
"datePublished": "2025-10-01T07:55:17.475Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:17.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39921 (GCVE-0-2025-39921)
Vulnerability from nvd – Published: 2025-10-01 07:55 – Updated: 2025-10-01 07:55
VLAI?
Title
spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback
In commit 13529647743d9 ("spi: microchip-core-qspi: Support per spi-mem
operation frequency switches") the logic for checking the viability of
op->max_freq in mchp_coreqspi_setup_clock() was copied into
mchp_coreqspi_supports_op(). Unfortunately, op->max_freq is not valid
when this function is called during probe but is instead zero.
Accordingly, baud_rate_val is calculated to be INT_MAX due to division
by zero, causing probe of the attached memory device to fail.
Seemingly spi-microchip-core-qspi was the only driver that had such a
modification made to its supports_op callback when the per_op_freq
capability was added, so just remove it to restore prior functionality.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-microchip-core-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac8a13f35d5b8996582b3f97b924838a5c570c18",
"status": "affected",
"version": "13529647743d906ed3cf991f1d77727e7ff1fb6f",
"versionType": "git"
},
{
"lessThan": "89e7353f522f5cf70cb48c01ce2dcdcb275b8022",
"status": "affected",
"version": "13529647743d906ed3cf991f1d77727e7ff1fb6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-microchip-core-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: stop checking viability of op-\u003emax_freq in supports_op callback\n\nIn commit 13529647743d9 (\"spi: microchip-core-qspi: Support per spi-mem\noperation frequency switches\") the logic for checking the viability of\nop-\u003emax_freq in mchp_coreqspi_setup_clock() was copied into\nmchp_coreqspi_supports_op(). Unfortunately, op-\u003emax_freq is not valid\nwhen this function is called during probe but is instead zero.\nAccordingly, baud_rate_val is calculated to be INT_MAX due to division\nby zero, causing probe of the attached memory device to fail.\n\nSeemingly spi-microchip-core-qspi was the only driver that had such a\nmodification made to its supports_op callback when the per_op_freq\ncapability was added, so just remove it to restore prior functionality."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:16.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac8a13f35d5b8996582b3f97b924838a5c570c18"
},
{
"url": "https://git.kernel.org/stable/c/89e7353f522f5cf70cb48c01ce2dcdcb275b8022"
}
],
"title": "spi: microchip-core-qspi: stop checking viability of op-\u003emax_freq in supports_op callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39921",
"datePublished": "2025-10-01T07:55:16.540Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:16.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39919 (GCVE-0-2025-39919)
Vulnerability from nvd – Published: 2025-10-01 07:55 – Updated: 2025-10-01 07:55
VLAI?
Title
wifi: mt76: mt7996: add missing check for rx wcid entries
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: add missing check for rx wcid entries
Non-station wcid entries must not be passed to the rx functions.
In case of the global wcid entry, it could even lead to corruption in the wcid
array due to pointer being casted to struct mt7996_sta_link using container_of.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7996/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69dcc19048fcdc3fb166fd25b805470ee8fc0eb1",
"status": "affected",
"version": "7464b12b7d92b9641d4664735b9f3c3f0b6173d9",
"versionType": "git"
},
{
"lessThan": "4a522b01e368eec58d182ecc47d24f49a39e440d",
"status": "affected",
"version": "7464b12b7d92b9641d4664735b9f3c3f0b6173d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7996/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: add missing check for rx wcid entries\n\nNon-station wcid entries must not be passed to the rx functions.\nIn case of the global wcid entry, it could even lead to corruption in the wcid\narray due to pointer being casted to struct mt7996_sta_link using container_of."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:14.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69dcc19048fcdc3fb166fd25b805470ee8fc0eb1"
},
{
"url": "https://git.kernel.org/stable/c/4a522b01e368eec58d182ecc47d24f49a39e440d"
}
],
"title": "wifi: mt76: mt7996: add missing check for rx wcid entries",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39919",
"datePublished": "2025-10-01T07:55:14.804Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:14.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39918 (GCVE-0-2025-39918)
Vulnerability from nvd – Published: 2025-10-01 07:55 – Updated: 2025-10-01 07:55
VLAI?
Title
wifi: mt76: fix linked list corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: fix linked list corruption
Never leave scheduled wcid entries on the temporary on-stack list
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0b3be9d1d34e21dada69c539fbf51a5fe868028a , < e4d5a5fc61fdc65220a1ce078d24c1d20bbb0835
(git)
Affected: 0b3be9d1d34e21dada69c539fbf51a5fe868028a , < c91a59b04f928cb4a1436b0e0a27650883d0388a (git) Affected: 0b3be9d1d34e21dada69c539fbf51a5fe868028a , < 49fba87205bec14a0f6bd997635bf3968408161e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4d5a5fc61fdc65220a1ce078d24c1d20bbb0835",
"status": "affected",
"version": "0b3be9d1d34e21dada69c539fbf51a5fe868028a",
"versionType": "git"
},
{
"lessThan": "c91a59b04f928cb4a1436b0e0a27650883d0388a",
"status": "affected",
"version": "0b3be9d1d34e21dada69c539fbf51a5fe868028a",
"versionType": "git"
},
{
"lessThan": "49fba87205bec14a0f6bd997635bf3968408161e",
"status": "affected",
"version": "0b3be9d1d34e21dada69c539fbf51a5fe868028a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: fix linked list corruption\n\nNever leave scheduled wcid entries on the temporary on-stack list"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:13.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4d5a5fc61fdc65220a1ce078d24c1d20bbb0835"
},
{
"url": "https://git.kernel.org/stable/c/c91a59b04f928cb4a1436b0e0a27650883d0388a"
},
{
"url": "https://git.kernel.org/stable/c/49fba87205bec14a0f6bd997635bf3968408161e"
}
],
"title": "wifi: mt76: fix linked list corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39918",
"datePublished": "2025-10-01T07:55:13.851Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:13.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39917 (GCVE-0-2025-39917)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
Stanislav reported that in bpf_crypto_crypt() the destination dynptr's
size is not validated to be at least as large as the source dynptr's
size before calling into the crypto backend with 'len = src_len'. This
can result in an OOB write when the destination is smaller than the
source.
Concretely, in mentioned function, psrc and pdst are both linear
buffers fetched from each dynptr:
psrc = __bpf_dynptr_data(src, src_len);
[...]
pdst = __bpf_dynptr_data_rw(dst, dst_len);
[...]
err = decrypt ?
ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) :
ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv);
The crypto backend expects pdst to be large enough with a src_len length
that can be written. Add an additional src_len > dst_len check and bail
out if it's the case. Note that these kfuncs are accessible under root
privileges only.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < 0126358df12d6f476f79251d9c398ac5c1b3062d
(git)
Affected: 3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < c4be24ef0510c146dca4671effb127e97631534b (git) Affected: 3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0126358df12d6f476f79251d9c398ac5c1b3062d",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "c4be24ef0510c146dca4671effb127e97631534b",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt\n\nStanislav reported that in bpf_crypto_crypt() the destination dynptr\u0027s\nsize is not validated to be at least as large as the source dynptr\u0027s\nsize before calling into the crypto backend with \u0027len = src_len\u0027. This\ncan result in an OOB write when the destination is smaller than the\nsource.\n\nConcretely, in mentioned function, psrc and pdst are both linear\nbuffers fetched from each dynptr:\n\n psrc = __bpf_dynptr_data(src, src_len);\n [...]\n pdst = __bpf_dynptr_data_rw(dst, dst_len);\n [...]\n err = decrypt ?\n ctx-\u003etype-\u003edecrypt(ctx-\u003etfm, psrc, pdst, src_len, piv) :\n ctx-\u003etype-\u003eencrypt(ctx-\u003etfm, psrc, pdst, src_len, piv);\n\nThe crypto backend expects pdst to be large enough with a src_len length\nthat can be written. Add an additional src_len \u003e dst_len check and bail\nout if it\u0027s the case. Note that these kfuncs are accessible under root\nprivileges only."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:39.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0126358df12d6f476f79251d9c398ac5c1b3062d"
},
{
"url": "https://git.kernel.org/stable/c/c4be24ef0510c146dca4671effb127e97631534b"
},
{
"url": "https://git.kernel.org/stable/c/f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14"
}
],
"title": "bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39917",
"datePublished": "2025-10-01T07:44:39.423Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:39.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39915 (GCVE-0-2025-39915)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
net: phy: transfer phy_config_inband() locking responsibility to phylink
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: transfer phy_config_inband() locking responsibility to phylink
Problem description
===================
Lockdep reports a possible circular locking dependency (AB/BA) between
&pl->state_mutex and &phy->lock, as follows.
phylink_resolve() // acquires &pl->state_mutex
-> phylink_major_config()
-> phy_config_inband() // acquires &pl->phydev->lock
whereas all the other call sites where &pl->state_mutex and
&pl->phydev->lock have the locking scheme reversed. Everywhere else,
&pl->phydev->lock is acquired at the top level, and &pl->state_mutex at
the lower level. A clear example is phylink_bringup_phy().
The outlier is the newly introduced phy_config_inband() and the existing
lock order is the correct one. To understand why it cannot be the other
way around, it is sufficient to consider phylink_phy_change(), phylink's
callback from the PHY device's phy->phy_link_change() virtual method,
invoked by the PHY state machine.
phy_link_up() and phy_link_down(), the (indirect) callers of
phylink_phy_change(), are called with &phydev->lock acquired.
Then phylink_phy_change() acquires its own &pl->state_mutex, to
serialize changes made to its pl->phy_state and pl->link_config.
So all other instances of &pl->state_mutex and &phydev->lock must be
consistent with this order.
Problem impact
==============
I think the kernel runs a serious deadlock risk if an existing
phylink_resolve() thread, which results in a phy_config_inband() call,
is concurrent with a phy_link_up() or phy_link_down() call, which will
deadlock on &pl->state_mutex in phylink_phy_change(). Practically
speaking, the impact may be limited by the slow speed of the medium
auto-negotiation protocol, which makes it unlikely for the current state
to still be unresolved when a new one is detected, but I think the
problem is there. Nonetheless, the problem was discovered using lockdep.
Proposed solution
=================
Practically speaking, the phy_config_inband() requirement of having
phydev->lock acquired must transfer to the caller (phylink is the only
caller). There, it must bubble up until immediately before
&pl->state_mutex is acquired, for the cases where that takes place.
Solution details, considerations, notes
=======================================
This is the phy_config_inband() call graph:
sfp_upstream_ops :: connect_phy()
|
v
phylink_sfp_connect_phy()
|
v
phylink_sfp_config_phy()
|
| sfp_upstream_ops :: module_insert()
| |
| v
| phylink_sfp_module_insert()
| |
| | sfp_upstream_ops :: module_start()
| | |
| | v
| | phylink_sfp_module_start()
| | |
| v v
| phylink_sfp_config_optical()
phylink_start() | |
| phylink_resume() v v
| | phylink_sfp_set_config()
| | |
v v v
phylink_mac_initial_config()
| phylink_resolve()
| | phylink_ethtool_ksettings_set()
v v v
phylink_major_config()
|
v
phy_config_inband()
phylink_major_config() caller #1, phylink_mac_initial_config(), does not
acquire &pl->state_mutex nor do its callers. It must acquire
&pl->phydev->lock prior to calling phylink_major_config().
phylink_major_config() caller #2, phylink_resolve() acquires
&pl->state_mutex, thus also needs to acquire &pl->phydev->lock.
phylink_major_config() caller #3, phylink_ethtool_ksettings_set(), is
completely uninteresting, because it only call
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy.c",
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "052ac41c379c8b87629808be612a482b2d0ae283",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
},
{
"lessThan": "e2a10daba84968f6b5777d150985fd7d6abc9c84",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy.c",
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: transfer phy_config_inband() locking responsibility to phylink\n\nProblem description\n===================\n\nLockdep reports a possible circular locking dependency (AB/BA) between\n\u0026pl-\u003estate_mutex and \u0026phy-\u003elock, as follows.\n\nphylink_resolve() // acquires \u0026pl-\u003estate_mutex\n-\u003e phylink_major_config()\n -\u003e phy_config_inband() // acquires \u0026pl-\u003ephydev-\u003elock\n\nwhereas all the other call sites where \u0026pl-\u003estate_mutex and\n\u0026pl-\u003ephydev-\u003elock have the locking scheme reversed. Everywhere else,\n\u0026pl-\u003ephydev-\u003elock is acquired at the top level, and \u0026pl-\u003estate_mutex at\nthe lower level. A clear example is phylink_bringup_phy().\n\nThe outlier is the newly introduced phy_config_inband() and the existing\nlock order is the correct one. To understand why it cannot be the other\nway around, it is sufficient to consider phylink_phy_change(), phylink\u0027s\ncallback from the PHY device\u0027s phy-\u003ephy_link_change() virtual method,\ninvoked by the PHY state machine.\n\nphy_link_up() and phy_link_down(), the (indirect) callers of\nphylink_phy_change(), are called with \u0026phydev-\u003elock acquired.\nThen phylink_phy_change() acquires its own \u0026pl-\u003estate_mutex, to\nserialize changes made to its pl-\u003ephy_state and pl-\u003elink_config.\nSo all other instances of \u0026pl-\u003estate_mutex and \u0026phydev-\u003elock must be\nconsistent with this order.\n\nProblem impact\n==============\n\nI think the kernel runs a serious deadlock risk if an existing\nphylink_resolve() thread, which results in a phy_config_inband() call,\nis concurrent with a phy_link_up() or phy_link_down() call, which will\ndeadlock on \u0026pl-\u003estate_mutex in phylink_phy_change(). Practically\nspeaking, the impact may be limited by the slow speed of the medium\nauto-negotiation protocol, which makes it unlikely for the current state\nto still be unresolved when a new one is detected, but I think the\nproblem is there. Nonetheless, the problem was discovered using lockdep.\n\nProposed solution\n=================\n\nPractically speaking, the phy_config_inband() requirement of having\nphydev-\u003elock acquired must transfer to the caller (phylink is the only\ncaller). There, it must bubble up until immediately before\n\u0026pl-\u003estate_mutex is acquired, for the cases where that takes place.\n\nSolution details, considerations, notes\n=======================================\n\nThis is the phy_config_inband() call graph:\n\n sfp_upstream_ops :: connect_phy()\n |\n v\n phylink_sfp_connect_phy()\n |\n v\n phylink_sfp_config_phy()\n |\n | sfp_upstream_ops :: module_insert()\n | |\n | v\n | phylink_sfp_module_insert()\n | |\n | | sfp_upstream_ops :: module_start()\n | | |\n | | v\n | | phylink_sfp_module_start()\n | | |\n | v v\n | phylink_sfp_config_optical()\n phylink_start() | |\n | phylink_resume() v v\n | | phylink_sfp_set_config()\n | | |\n v v v\n phylink_mac_initial_config()\n | phylink_resolve()\n | | phylink_ethtool_ksettings_set()\n v v v\n phylink_major_config()\n |\n v\n phy_config_inband()\n\nphylink_major_config() caller #1, phylink_mac_initial_config(), does not\nacquire \u0026pl-\u003estate_mutex nor do its callers. It must acquire\n\u0026pl-\u003ephydev-\u003elock prior to calling phylink_major_config().\n\nphylink_major_config() caller #2, phylink_resolve() acquires\n\u0026pl-\u003estate_mutex, thus also needs to acquire \u0026pl-\u003ephydev-\u003elock.\n\nphylink_major_config() caller #3, phylink_ethtool_ksettings_set(), is\ncompletely uninteresting, because it only call\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:37.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/052ac41c379c8b87629808be612a482b2d0ae283"
},
{
"url": "https://git.kernel.org/stable/c/e2a10daba84968f6b5777d150985fd7d6abc9c84"
}
],
"title": "net: phy: transfer phy_config_inband() locking responsibility to phylink",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39915",
"datePublished": "2025-10-01T07:44:37.884Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:37.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39912 (GCVE-0-2025-39912)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
nfs/localio: restore creds before releasing pageio data
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs/localio: restore creds before releasing pageio data
Otherwise if the nfsd filecache code releases the nfsd_file
immediately, it can trigger the BUG_ON(cred == current->cred) in
__put_cred() when it puts the nfsd_file->nf_file->f-cred.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b9f5dd57f4a52990963eeb1f1b58d00f717ece69 , < 57c1bb02b4fc8eec6eb01736e7fad26dffacf18c
(git)
Affected: b9f5dd57f4a52990963eeb1f1b58d00f717ece69 , < c250be1d75bf80dc5ab46f0b434b746c1868a1ea (git) Affected: b9f5dd57f4a52990963eeb1f1b58d00f717ece69 , < 992203a1fba51b025c60ec0c8b0d9223343dea95 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/localio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57c1bb02b4fc8eec6eb01736e7fad26dffacf18c",
"status": "affected",
"version": "b9f5dd57f4a52990963eeb1f1b58d00f717ece69",
"versionType": "git"
},
{
"lessThan": "c250be1d75bf80dc5ab46f0b434b746c1868a1ea",
"status": "affected",
"version": "b9f5dd57f4a52990963eeb1f1b58d00f717ece69",
"versionType": "git"
},
{
"lessThan": "992203a1fba51b025c60ec0c8b0d9223343dea95",
"status": "affected",
"version": "b9f5dd57f4a52990963eeb1f1b58d00f717ece69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/localio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/localio: restore creds before releasing pageio data\n\nOtherwise if the nfsd filecache code releases the nfsd_file\nimmediately, it can trigger the BUG_ON(cred == current-\u003ecred) in\n__put_cred() when it puts the nfsd_file-\u003enf_file-\u003ef-cred."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:35.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57c1bb02b4fc8eec6eb01736e7fad26dffacf18c"
},
{
"url": "https://git.kernel.org/stable/c/c250be1d75bf80dc5ab46f0b434b746c1868a1ea"
},
{
"url": "https://git.kernel.org/stable/c/992203a1fba51b025c60ec0c8b0d9223343dea95"
}
],
"title": "nfs/localio: restore creds before releasing pageio data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39912",
"datePublished": "2025-10-01T07:44:35.513Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:35.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39910 (GCVE-0-2025-39910)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and
always allocate memory using the hardcoded GFP_KERNEL flag. This makes
them inconsistent with vmalloc(), which was recently extended to support
GFP_NOFS and GFP_NOIO allocations.
Page table allocations performed during shadow population also ignore the
external gfp_mask. To preserve the intended semantics of GFP_NOFS and
GFP_NOIO, wrap the apply_to_page_range() calls into the appropriate
memalloc scope.
xfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock.
There was a report here
https://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com
This patch:
- Extends kasan_populate_vmalloc() and helpers to take gfp_mask;
- Passes gfp_mask down to alloc_pages_bulk() and __get_free_page();
- Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore()
around apply_to_page_range();
- Updates vmalloc.c and percpu allocator call sites accordingly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/kasan.h",
"mm/kasan/shadow.c",
"mm/vmalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33b95d90427cb4babf32059e323a6d0c027610fe",
"status": "affected",
"version": "451769ebb7e792c3404db53b3c2a422990de654e",
"versionType": "git"
},
{
"lessThan": "79357cd06d41d0f5a11b17d7c86176e395d10ef2",
"status": "affected",
"version": "451769ebb7e792c3404db53b3c2a422990de654e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/kasan.h",
"mm/kasan/shadow.c",
"mm/vmalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()\n\nkasan_populate_vmalloc() and its helpers ignore the caller\u0027s gfp_mask and\nalways allocate memory using the hardcoded GFP_KERNEL flag. This makes\nthem inconsistent with vmalloc(), which was recently extended to support\nGFP_NOFS and GFP_NOIO allocations.\n\nPage table allocations performed during shadow population also ignore the\nexternal gfp_mask. To preserve the intended semantics of GFP_NOFS and\nGFP_NOIO, wrap the apply_to_page_range() calls into the appropriate\nmemalloc scope.\n\nxfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock.\n\nThere was a report here\nhttps://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com\n\nThis patch:\n - Extends kasan_populate_vmalloc() and helpers to take gfp_mask;\n - Passes gfp_mask down to alloc_pages_bulk() and __get_free_page();\n - Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore()\n around apply_to_page_range();\n - Updates vmalloc.c and percpu allocator call sites accordingly."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:33.759Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33b95d90427cb4babf32059e323a6d0c027610fe"
},
{
"url": "https://git.kernel.org/stable/c/79357cd06d41d0f5a11b17d7c86176e395d10ef2"
}
],
"title": "mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39910",
"datePublished": "2025-10-01T07:44:33.759Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:33.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39908 (GCVE-0-2025-39908)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
net: dev_ioctl: take ops lock in hwtstamp lower paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dev_ioctl: take ops lock in hwtstamp lower paths
ndo hwtstamp callbacks are expected to run under the per-device ops
lock. Make the lower get/set paths consistent with the rest of ndo
invocations.
Kernel log:
WARNING: CPU: 13 PID: 51364 at ./include/net/netdev_lock.h:70 __netdev_update_features+0x4bd/0xe60
...
RIP: 0010:__netdev_update_features+0x4bd/0xe60
...
Call Trace:
<TASK>
netdev_update_features+0x1f/0x60
mlx5_hwtstamp_set+0x181/0x290 [mlx5_core]
mlx5e_hwtstamp_set+0x19/0x30 [mlx5_core]
dev_set_hwtstamp_phylib+0x9f/0x220
dev_set_hwtstamp_phylib+0x9f/0x220
dev_set_hwtstamp+0x13d/0x240
dev_ioctl+0x12f/0x4b0
sock_ioctl+0x171/0x370
__x64_sys_ioctl+0x3f7/0x900
? __sys_setsockopt+0x69/0xb0
do_syscall_64+0x6f/0x2e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
...
</TASK>
....
---[ end trace 0000000000000000 ]---
Note that the mlx5_hwtstamp_set and mlx5e_hwtstamp_set functions shown
in the trace come from an in progress patch converting the legacy ioctl
to ndo_hwtstamp_get/set and are not present in mainline.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d92fa0cdc02291de57f72170e8b60cef0cf5372",
"status": "affected",
"version": "ffb7ed19ac0a9fa9ea79af1d7b42c03a10da98a5",
"versionType": "git"
},
{
"lessThan": "686cab5a18e443e1d5f2abb17bed45837836425f",
"status": "affected",
"version": "ffb7ed19ac0a9fa9ea79af1d7b42c03a10da98a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dev_ioctl: take ops lock in hwtstamp lower paths\n\nndo hwtstamp callbacks are expected to run under the per-device ops\nlock. Make the lower get/set paths consistent with the rest of ndo\ninvocations.\n\nKernel log:\nWARNING: CPU: 13 PID: 51364 at ./include/net/netdev_lock.h:70 __netdev_update_features+0x4bd/0xe60\n...\nRIP: 0010:__netdev_update_features+0x4bd/0xe60\n...\nCall Trace:\n\u003cTASK\u003e\nnetdev_update_features+0x1f/0x60\nmlx5_hwtstamp_set+0x181/0x290 [mlx5_core]\nmlx5e_hwtstamp_set+0x19/0x30 [mlx5_core]\ndev_set_hwtstamp_phylib+0x9f/0x220\ndev_set_hwtstamp_phylib+0x9f/0x220\ndev_set_hwtstamp+0x13d/0x240\ndev_ioctl+0x12f/0x4b0\nsock_ioctl+0x171/0x370\n__x64_sys_ioctl+0x3f7/0x900\n? __sys_setsockopt+0x69/0xb0\ndo_syscall_64+0x6f/0x2e0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\n...\n\u003c/TASK\u003e\n....\n---[ end trace 0000000000000000 ]---\n\nNote that the mlx5_hwtstamp_set and mlx5e_hwtstamp_set functions shown\nin the trace come from an in progress patch converting the legacy ioctl\nto ndo_hwtstamp_get/set and are not present in mainline."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:31.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d92fa0cdc02291de57f72170e8b60cef0cf5372"
},
{
"url": "https://git.kernel.org/stable/c/686cab5a18e443e1d5f2abb17bed45837836425f"
}
],
"title": "net: dev_ioctl: take ops lock in hwtstamp lower paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39908",
"datePublished": "2025-10-01T07:44:31.904Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:31.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39906 (GCVE-0-2025-39906)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
drm/amd/display: remove oem i2c adapter on finish
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: remove oem i2c adapter on finish
Fixes a bug where unbinding of the GPU would leave the oem i2c adapter
registered resulting in a null pointer dereference when applications try
to access the invalid device.
(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c686124bcf06253620790857ff462f00f3f7a4ab",
"status": "affected",
"version": "3d5470c973149f479572dcf4eea064775041ea6c",
"versionType": "git"
},
{
"lessThan": "1dfd2864a1c4909147663e5a27c055f50f7c2796",
"status": "affected",
"version": "3d5470c973149f479572dcf4eea064775041ea6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: remove oem i2c adapter on finish\n\nFixes a bug where unbinding of the GPU would leave the oem i2c adapter\nregistered resulting in a null pointer dereference when applications try\nto access the invalid device.\n\n(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:29.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c686124bcf06253620790857ff462f00f3f7a4ab"
},
{
"url": "https://git.kernel.org/stable/c/1dfd2864a1c4909147663e5a27c055f50f7c2796"
}
],
"title": "drm/amd/display: remove oem i2c adapter on finish",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39906",
"datePublished": "2025-10-01T07:44:29.666Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:29.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39905 (GCVE-0-2025-39905)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2026-01-02 15:32
VLAI?
Title
net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
Currently phylink_resolve() protects itself against concurrent
phylink_bringup_phy() or phylink_disconnect_phy() calls which modify
pl->phydev by relying on pl->state_mutex.
The problem is that in phylink_resolve(), pl->state_mutex is in a lock
inversion state with pl->phydev->lock. So pl->phydev->lock needs to be
acquired prior to pl->state_mutex. But that requires dereferencing
pl->phydev in the first place, and without pl->state_mutex, that is
racy.
Hence the reason for the extra lock. Currently it is redundant, but it
will serve a functional purpose once mutex_lock(&phy->lock) will be
moved outside of the mutex_lock(&pl->state_mutex) section.
Another alternative considered would have been to let phylink_resolve()
acquire the rtnl_mutex, which is also held when phylink_bringup_phy()
and phylink_disconnect_phy() are called. But since phylink_disconnect_phy()
runs under rtnl_lock(), it would deadlock with phylink_resolve() when
calling flush_work(&pl->resolve). Additionally, it would have been
undesirable because it would have unnecessarily blocked many other call
paths as well in the entire kernel, so the smaller-scoped lock was
preferred.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56fe63b05ec84ae6674269d78397cec43a7a295a",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
},
{
"lessThan": "0ba5b2f2c381dbec9ed9e4ab3ae5d3e667de0dc3",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phylink: add lock for serializing concurrent pl-\u003ephydev writes with resolver\n\nCurrently phylink_resolve() protects itself against concurrent\nphylink_bringup_phy() or phylink_disconnect_phy() calls which modify\npl-\u003ephydev by relying on pl-\u003estate_mutex.\n\nThe problem is that in phylink_resolve(), pl-\u003estate_mutex is in a lock\ninversion state with pl-\u003ephydev-\u003elock. So pl-\u003ephydev-\u003elock needs to be\nacquired prior to pl-\u003estate_mutex. But that requires dereferencing\npl-\u003ephydev in the first place, and without pl-\u003estate_mutex, that is\nracy.\n\nHence the reason for the extra lock. Currently it is redundant, but it\nwill serve a functional purpose once mutex_lock(\u0026phy-\u003elock) will be\nmoved outside of the mutex_lock(\u0026pl-\u003estate_mutex) section.\n\nAnother alternative considered would have been to let phylink_resolve()\nacquire the rtnl_mutex, which is also held when phylink_bringup_phy()\nand phylink_disconnect_phy() are called. But since phylink_disconnect_phy()\nruns under rtnl_lock(), it would deadlock with phylink_resolve() when\ncalling flush_work(\u0026pl-\u003eresolve). Additionally, it would have been\nundesirable because it would have unnecessarily blocked many other call\npaths as well in the entire kernel, so the smaller-scoped lock was\npreferred."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:32:40.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56fe63b05ec84ae6674269d78397cec43a7a295a"
},
{
"url": "https://git.kernel.org/stable/c/0ba5b2f2c381dbec9ed9e4ab3ae5d3e667de0dc3"
}
],
"title": "net: phylink: add lock for serializing concurrent pl-\u003ephydev writes with resolver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39905",
"datePublished": "2025-10-01T07:44:28.758Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2026-01-02T15:32:40.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39904 (GCVE-0-2025-39904)
Vulnerability from nvd – Published: 2025-10-01 07:44 – Updated: 2025-10-01 07:44
VLAI?
Title
arm64: kexec: initialize kexec_buf struct in load_other_segments()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: kexec: initialize kexec_buf struct in load_other_segments()
Patch series "kexec: Fix invalid field access".
The kexec_buf structure was previously declared without initialization.
commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
added a field that is always read but not consistently populated by all
architectures. This un-initialized field will contain garbage.
This is also triggering a UBSAN warning when the uninitialized data was
accessed:
------------[ cut here ]------------
UBSAN: invalid-load in ./include/linux/kexec.h:210:10
load of value 252 is not a valid value for type '_Bool'
Zero-initializing kexec_buf at declaration ensures all fields are cleanly
set, preventing future instances of uninitialized memory being used.
An initial fix was already landed for arm64[0], and this patchset fixes
the problem on the remaining arm64 code and on riscv, as raised by Mark.
Discussions about this problem could be found at[1][2].
This patch (of 3):
The kexec_buf structure was previously declared without initialization.
commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
added a field that is always read but not consistently populated by all
architectures. This un-initialized field will contain garbage.
This is also triggering a UBSAN warning when the uninitialized data was
accessed:
------------[ cut here ]------------
UBSAN: invalid-load in ./include/linux/kexec.h:210:10
load of value 252 is not a valid value for type '_Bool'
Zero-initializing kexec_buf at declaration ensures all fields are
cleanly set, preventing future instances of uninitialized memory being
used.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/machine_kexec_file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "340cc9a3bd30b25edaf6a9708d41b5f2c10a054a",
"status": "affected",
"version": "bf454ec31add6790f6cdc88328e38901fcbbade6",
"versionType": "git"
},
{
"lessThan": "04d3cd43700a2d0fe4bfb1012a8ec7f2e34a3507",
"status": "affected",
"version": "bf454ec31add6790f6cdc88328e38901fcbbade6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/machine_kexec_file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: kexec: initialize kexec_buf struct in load_other_segments()\n\nPatch series \"kexec: Fix invalid field access\".\n\nThe kexec_buf structure was previously declared without initialization. \ncommit bf454ec31add (\"kexec_file: allow to place kexec_buf randomly\")\nadded a field that is always read but not consistently populated by all\narchitectures. This un-initialized field will contain garbage.\n\nThis is also triggering a UBSAN warning when the uninitialized data was\naccessed:\n\n\t------------[ cut here ]------------\n\tUBSAN: invalid-load in ./include/linux/kexec.h:210:10\n\tload of value 252 is not a valid value for type \u0027_Bool\u0027\n\nZero-initializing kexec_buf at declaration ensures all fields are cleanly\nset, preventing future instances of uninitialized memory being used.\n\nAn initial fix was already landed for arm64[0], and this patchset fixes\nthe problem on the remaining arm64 code and on riscv, as raised by Mark.\n\nDiscussions about this problem could be found at[1][2].\n\n\nThis patch (of 3):\n\nThe kexec_buf structure was previously declared without initialization.\ncommit bf454ec31add (\"kexec_file: allow to place kexec_buf randomly\")\nadded a field that is always read but not consistently populated by all\narchitectures. This un-initialized field will contain garbage.\n\nThis is also triggering a UBSAN warning when the uninitialized data was\naccessed:\n\n\t------------[ cut here ]------------\n\tUBSAN: invalid-load in ./include/linux/kexec.h:210:10\n\tload of value 252 is not a valid value for type \u0027_Bool\u0027\n\nZero-initializing kexec_buf at declaration ensures all fields are\ncleanly set, preventing future instances of uninitialized memory being\nused."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:27.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/340cc9a3bd30b25edaf6a9708d41b5f2c10a054a"
},
{
"url": "https://git.kernel.org/stable/c/04d3cd43700a2d0fe4bfb1012a8ec7f2e34a3507"
}
],
"title": "arm64: kexec: initialize kexec_buf struct in load_other_segments()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39904",
"datePublished": "2025-10-01T07:44:27.739Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:27.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39903 (GCVE-0-2025-39903)
Vulnerability from nvd – Published: 2025-10-01 07:42 – Updated: 2025-10-01 07:42
VLAI?
Title
of_numa: fix uninitialized memory nodes causing kernel panic
Summary
In the Linux kernel, the following vulnerability has been resolved:
of_numa: fix uninitialized memory nodes causing kernel panic
When there are memory-only nodes (nodes without CPUs), these nodes are not
properly initialized, causing kernel panic during boot.
of_numa_init
of_numa_parse_cpu_nodes
node_set(nid, numa_nodes_parsed);
of_numa_parse_memory_nodes
In of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes
containing CPUs. Memory-only nodes should have been updated in
of_numa_parse_memory_nodes, but they weren't.
Subsequently, when free_area_init() attempts to access NODE_DATA() for
these uninitialized memory nodes, the kernel panics due to NULL pointer
dereference.
This can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:
qemu-system-aarch64 \
-cpu host -nographic \
-m 4G -smp 1 \
-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \
-object memory-backend-ram,size=2G,id=mem0 \
-object memory-backend-ram,size=2G,id=mem1 \
-numa node,nodeid=0,memdev=mem0 \
-numa node,nodeid=1,memdev=mem1 \
-kernel $IMAGE \
-hda $DISK \
-append "console=ttyAMA0 root=/dev/vda rw earlycon"
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]
[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025
[ 0.000000] KASLR enabled
[ 0.000000] random: crng init done
[ 0.000000] Machine model: linux,dummy-virt
[ 0.000000] efi: UEFI not found.
[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')
[ 0.000000] printk: legacy bootconsole [pl11] enabled
[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT
[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]
[ 0.000000] node 1 must be removed before remove section 23
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 0.000000] Mem abort info:
[ 0.000000] ESR = 0x0000000096000004
[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.000000] SET = 0, FnV = 0
[ 0.000000] EA = 0, S1PTW = 0
[ 0.000000] FSC = 0x04: level 0 translation fault
[ 0.000000] Data abort info:
[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 0.000000] [00000000000000a0] user address but active_mm is swapper
[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT
[ 0.000000] Hardware name: linux,dummy-virt (DT)
[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.000000] pc : free_area_init+0x50c/0xf9c
[ 0.000000] lr : free_area_init+0x5c0/0xf9c
[ 0.000000] sp : ffffa02ca0f33c00
[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000
[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000
[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368
[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002
[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001
[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002
[ 0.0
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
767507654c22578ea0b51d181211b2e7714ea7cd , < c2daa6eb4740720b5bd0e06267d7c93a3eed844e
(git)
Affected: 767507654c22578ea0b51d181211b2e7714ea7cd , < f3286ad8eeae15fd4bd5c12f9adfe888b26baf62 (git) Affected: 767507654c22578ea0b51d181211b2e7714ea7cd , < ee4d098cbc9160f573b5c1b5a51d6158efdb2896 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/of_numa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2daa6eb4740720b5bd0e06267d7c93a3eed844e",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
},
{
"lessThan": "f3286ad8eeae15fd4bd5c12f9adfe888b26baf62",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
},
{
"lessThan": "ee4d098cbc9160f573b5c1b5a51d6158efdb2896",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/of_numa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof_numa: fix uninitialized memory nodes causing kernel panic\n\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\nproperly initialized, causing kernel panic during boot.\n\nof_numa_init\n\tof_numa_parse_cpu_nodes\n\t\tnode_set(nid, numa_nodes_parsed);\n\tof_numa_parse_memory_nodes\n\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\ncontaining CPUs. Memory-only nodes should have been updated in\nof_numa_parse_memory_nodes, but they weren\u0027t.\n\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\ndereference.\n\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\n\nqemu-system-aarch64 \\\n-cpu host -nographic \\\n-m 4G -smp 1 \\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\n-object memory-backend-ram,size=2G,id=mem0 \\\n-object memory-backend-ram,size=2G,id=mem1 \\\n-numa node,nodeid=0,memdev=mem0 \\\n-numa node,nodeid=1,memdev=mem1 \\\n-kernel $IMAGE \\\n-hda $DISK \\\n-append \"console=ttyAMA0 root=/dev/vda rw earlycon\"\n\n[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\n[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\n[ 0.000000] KASLR enabled\n[ 0.000000] random: crng init done\n[ 0.000000] Machine model: linux,dummy-virt\n[ 0.000000] efi: UEFI not found.\n[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options \u0027\u0027)\n[ 0.000000] printk: legacy bootconsole [pl11] enabled\n[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\n[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\n[ 0.000000] node 1 must be removed before remove section 23\n[ 0.000000] Zone ranges:\n[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]\n[ 0.000000] DMA32 empty\n[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]\n[ 0.000000] Movable zone start for each node\n[ 0.000000] Early memory node ranges\n[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]\n[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 0.000000] Mem abort info:\n[ 0.000000] ESR = 0x0000000096000004\n[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.000000] SET = 0, FnV = 0\n[ 0.000000] EA = 0, S1PTW = 0\n[ 0.000000] FSC = 0x04: level 0 translation fault\n[ 0.000000] Data abort info:\n[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 0.000000] [00000000000000a0] user address but active_mm is swapper\n[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\n[ 0.000000] Hardware name: linux,dummy-virt (DT)\n[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.000000] pc : free_area_init+0x50c/0xf9c\n[ 0.000000] lr : free_area_init+0x5c0/0xf9c\n[ 0.000000] sp : ffffa02ca0f33c00\n[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\n[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\n[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\n[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\n[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\n[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\n[ 0.0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:50.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2daa6eb4740720b5bd0e06267d7c93a3eed844e"
},
{
"url": "https://git.kernel.org/stable/c/f3286ad8eeae15fd4bd5c12f9adfe888b26baf62"
},
{
"url": "https://git.kernel.org/stable/c/ee4d098cbc9160f573b5c1b5a51d6158efdb2896"
}
],
"title": "of_numa: fix uninitialized memory nodes causing kernel panic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39903",
"datePublished": "2025-10-01T07:42:50.215Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:50.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4460 (GCVE-0-2021-4460)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:45 – Updated: 2025-12-20 08:50
VLAI?
Title
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up
doing a shift operation where the number of bits shifted equals
number of bits in the operand. This behaviour is undefined.
Set num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the
count is >= number of bits in the operand.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a488a7ad71401169cecee75dc94bcce642e2c53 , < 0c0356ef2498c1a250fe3846f30293f828737309
(git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 1874b0ef1426b873de94c61861e38f29a8df714c (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 3fdc5182700910a685d23df57d65166e8556a266 (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 9069b1b542de8f3bbffef868aff41521b21485cf (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 50e2fc36e72d4ad672032ebf646cecb48656efe0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c0356ef2498c1a250fe3846f30293f828737309",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "1874b0ef1426b873de94c61861e38f29a8df714c",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "3fdc5182700910a685d23df57d65166e8556a266",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "9069b1b542de8f3bbffef868aff41521b21485cf",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "50e2fc36e72d4ad672032ebf646cecb48656efe0",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.11.*",
"status": "unaffected",
"version": "5.11.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"version": "5.12.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.118",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.36",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.11.20",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.12.3",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.13",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix UBSAN shift-out-of-bounds warning\n\nIf get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up\ndoing a shift operation where the number of bits shifted equals\nnumber of bits in the operand. This behaviour is undefined.\n\nSet num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the\ncount is \u003e= number of bits in the operand.\n\nBug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:50:43.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c0356ef2498c1a250fe3846f30293f828737309"
},
{
"url": "https://git.kernel.org/stable/c/1874b0ef1426b873de94c61861e38f29a8df714c"
},
{
"url": "https://git.kernel.org/stable/c/3fdc5182700910a685d23df57d65166e8556a266"
},
{
"url": "https://git.kernel.org/stable/c/9069b1b542de8f3bbffef868aff41521b21485cf"
},
{
"url": "https://git.kernel.org/stable/c/50e2fc36e72d4ad672032ebf646cecb48656efe0"
}
],
"title": "drm/amdkfd: Fix UBSAN shift-out-of-bounds warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4460",
"datePublished": "2025-10-01T11:45:19.050Z",
"dateReserved": "2025-10-01T11:38:13.842Z",
"dateUpdated": "2025-12-20T08:50:43.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50424 (GCVE-0-2022-50424)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
Title
wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()
Fixed coverity issue with resource leaks at variable "fw" going out of
scope leaks the storage it points to mt7921_check_offload_capability().
Addresses-Coverity-ID: 1527806 ("Resource leaks")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ead3cffd7510dc635d84cd4ea9dd1974fcb69a35",
"status": "affected",
"version": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb",
"versionType": "git"
},
{
"lessThan": "47180ecf4541146836c5307c1d5526f8ac6a5a6d",
"status": "affected",
"version": "034ae28b56f13dc1f2beb3fa294b455f57ede9cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()\n\nFixed coverity issue with resource leaks at variable \"fw\" going out of\nscope leaks the storage it points to mt7921_check_offload_capability().\n\nAddresses-Coverity-ID: 1527806 (\"Resource leaks\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:03.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ead3cffd7510dc635d84cd4ea9dd1974fcb69a35"
},
{
"url": "https://git.kernel.org/stable/c/47180ecf4541146836c5307c1d5526f8ac6a5a6d"
}
],
"title": "wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50424",
"datePublished": "2025-10-01T11:42:03.912Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:42:03.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50423 (GCVE-0-2022-50423)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:41 – Updated: 2025-10-01 11:41
VLAI?
Title
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
There is an use-after-free reported by KASAN:
BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
Read of size 1 at addr ffff888112afc460 by task modprobe/2111
CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
Call Trace:
<TASK>
kasan_report+0xae/0xe0
acpi_ut_remove_reference+0x3b/0x82
acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
acpi_ds_store_object_to_local+0x15d/0x3a0
acpi_ex_store+0x78d/0x7fd
acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
acpi_ps_parse_aml+0x217/0x8d5
...
</TASK>
The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.
Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 133462d35dae95edb944af86b986d4c9dec59bd1
(git)
Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 02f237423c9c6a18e062de2d474f85d5659e4eb9 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < c9125b643fc51b8e662f2f614096ceb45a0adbc3 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < dfdde4d5138bc023897033a5ac653a84e94805be (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 02617006b5a46f2ea55ac61f5693c7afd7bf9276 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 6fde666278f91b85d71545a0ebbf41d8d7af8074 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 01f2c2052ea50fb9a8ce12e4e83aed0267934ef0 (git) Affected: 8aa5e56eeb61a099ea6519eb30ee399e1bc043ce , < 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 (git) Affected: b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8 (git) Affected: 7af5504c102a378376101dbd160246b10a814dd0 (git) Affected: e29a15484d7ea949e49ae7fb7e576a575da824a6 (git) Affected: e2ab6731a36966d042a2d4dabd980496cd680f75 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "133462d35dae95edb944af86b986d4c9dec59bd1",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02f237423c9c6a18e062de2d474f85d5659e4eb9",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "c9125b643fc51b8e662f2f614096ceb45a0adbc3",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "dfdde4d5138bc023897033a5ac653a84e94805be",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "02617006b5a46f2ea55ac61f5693c7afd7bf9276",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "6fde666278f91b85d71545a0ebbf41d8d7af8074",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "01f2c2052ea50fb9a8ce12e4e83aed0267934ef0",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"lessThan": "470188b09e92d83c5a997f25f0e8fb8cd2bc3469",
"status": "affected",
"version": "8aa5e56eeb61a099ea6519eb30ee399e1bc043ce",
"versionType": "git"
},
{
"status": "affected",
"version": "b3e98f0c4f996cd53b80bad71f0d7e4a2cf3a4e8",
"versionType": "git"
},
{
"status": "affected",
"version": "7af5504c102a378376101dbd160246b10a814dd0",
"versionType": "git"
},
{
"status": "affected",
"version": "e29a15484d7ea949e49ae7fb7e576a575da824a6",
"versionType": "git"
},
{
"status": "affected",
"version": "e2ab6731a36966d042a2d4dabd980496cd680f75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/utcopy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()\n\nThere is an use-after-free reported by KASAN:\n\n BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82\n Read of size 1 at addr ffff888112afc460 by task modprobe/2111\n CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n Call Trace:\n \u003cTASK\u003e\n kasan_report+0xae/0xe0\n acpi_ut_remove_reference+0x3b/0x82\n acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5\n acpi_ds_store_object_to_local+0x15d/0x3a0\n acpi_ex_store+0x78d/0x7fd\n acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b\n acpi_ps_parse_aml+0x217/0x8d5\n ...\n \u003c/TASK\u003e\n\nThe root cause of the problem is that the acpi_operand_object\nis freed when acpi_ut_walk_package_tree() fails in\nacpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in\nacpi_ut_copy_iobject_to_iobject(). The problem was introduced\nby \"8aa5e56eeb61\" commit, this commit is to fix memory leak in\nacpi_ut_copy_iobject_to_iobject(), repeatedly adding remove\noperation, lead to \"acpi_operand_object\" used after free.\n\nFix it by removing acpi_ut_remove_reference() in\nacpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()\nis called to copy an internal package object into another internal\npackage object, when it fails, the memory of acpi_operand_object\nshould be freed by the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:56.083Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/133462d35dae95edb944af86b986d4c9dec59bd1"
},
{
"url": "https://git.kernel.org/stable/c/02f237423c9c6a18e062de2d474f85d5659e4eb9"
},
{
"url": "https://git.kernel.org/stable/c/c9125b643fc51b8e662f2f614096ceb45a0adbc3"
},
{
"url": "https://git.kernel.org/stable/c/dfdde4d5138bc023897033a5ac653a84e94805be"
},
{
"url": "https://git.kernel.org/stable/c/02617006b5a46f2ea55ac61f5693c7afd7bf9276"
},
{
"url": "https://git.kernel.org/stable/c/6fde666278f91b85d71545a0ebbf41d8d7af8074"
},
{
"url": "https://git.kernel.org/stable/c/f51b2235e4f320edc839c3e5cb0d1f8a6e8657c6"
},
{
"url": "https://git.kernel.org/stable/c/01f2c2052ea50fb9a8ce12e4e83aed0267934ef0"
},
{
"url": "https://git.kernel.org/stable/c/470188b09e92d83c5a997f25f0e8fb8cd2bc3469"
}
],
"title": "ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50423",
"datePublished": "2025-10-01T11:41:56.083Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:56.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50422 (GCVE-0-2022-50422)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:41 – Updated: 2025-10-01 11:41
VLAI?
Title
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
When executing SMP task failed, the smp_execute_task_sg() calls del_timer()
to delete "slow_task->timer". However, if the timer handler
sas_task_internal_timedout() is running, the del_timer() in
smp_execute_task_sg() will not stop it and a UAF will happen. The process
is shown below:
(thread 1) | (thread 2)
smp_execute_task_sg() | sas_task_internal_timedout()
... |
del_timer() |
... | ...
sas_free_task(task) |
kfree(task->slow_task) //FREE|
| task->slow_task->... //USE
Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure
the timer handler have finished before the "task->slow_task" is
deallocated.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2908d778ab3e244900c310974e1fc1c69066e450 , < 117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe
(git)
Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < a9e5176ead6de64f572ad5c87a72825d9d3c82ae (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < e45a1516d2933703a4823d9db71e17c3abeba24f (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < f7a785177611ffc97d645fcbc196e6de6ad2421d (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 2e12ce270f0d926085c1209cc90397e307deef97 (git) Affected: 2908d778ab3e244900c310974e1fc1c69066e450 , < 46ba53c30666717cb06c2b3c5d896301cd00d0c0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libsas/sas_expander.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "a9e5176ead6de64f572ad5c87a72825d9d3c82ae",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "e45a1516d2933703a4823d9db71e17c3abeba24f",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "f7a785177611ffc97d645fcbc196e6de6ad2421d",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "2e12ce270f0d926085c1209cc90397e307deef97",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
},
{
"lessThan": "46ba53c30666717cb06c2b3c5d896301cd00d0c0",
"status": "affected",
"version": "2908d778ab3e244900c310974e1fc1c69066e450",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/libsas/sas_expander.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libsas: Fix use-after-free bug in smp_execute_task_sg()\n\nWhen executing SMP task failed, the smp_execute_task_sg() calls del_timer()\nto delete \"slow_task-\u003etimer\". However, if the timer handler\nsas_task_internal_timedout() is running, the del_timer() in\nsmp_execute_task_sg() will not stop it and a UAF will happen. The process\nis shown below:\n\n (thread 1) | (thread 2)\nsmp_execute_task_sg() | sas_task_internal_timedout()\n ... |\n del_timer() |\n ... | ...\n sas_free_task(task) |\n kfree(task-\u003eslow_task) //FREE|\n | task-\u003eslow_task-\u003e... //USE\n\nFix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure\nthe timer handler have finished before the \"task-\u003eslow_task\" is\ndeallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:55.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/117331a2a5227fb4369c2a1f321d3e3e2e2ef8fe"
},
{
"url": "https://git.kernel.org/stable/c/a9e5176ead6de64f572ad5c87a72825d9d3c82ae"
},
{
"url": "https://git.kernel.org/stable/c/e45a1516d2933703a4823d9db71e17c3abeba24f"
},
{
"url": "https://git.kernel.org/stable/c/f7a785177611ffc97d645fcbc196e6de6ad2421d"
},
{
"url": "https://git.kernel.org/stable/c/2e12ce270f0d926085c1209cc90397e307deef97"
},
{
"url": "https://git.kernel.org/stable/c/46ba53c30666717cb06c2b3c5d896301cd00d0c0"
}
],
"title": "scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50422",
"datePublished": "2025-10-01T11:41:55.147Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:55.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50421 (GCVE-0-2022-50421)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:41 – Updated: 2025-10-01 11:41
VLAI?
Title
rpmsg: char: Avoid double destroy of default endpoint
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpmsg: char: Avoid double destroy of default endpoint
The rpmsg_dev_remove() in rpmsg_core is the place for releasing
this default endpoint.
So need to avoid destroying the default endpoint in
rpmsg_chrdev_eptdev_destroy(), this should be the same as
rpmsg_eptdev_release(). Otherwise there will be double destroy
issue that ept->refcount report warning:
refcount_t: underflow; use-after-free.
Call trace:
refcount_warn_saturate+0xf8/0x150
virtio_rpmsg_destroy_ept+0xd4/0xec
rpmsg_dev_remove+0x60/0x70
The issue can be reproduced by stopping remoteproc before
closing the /dev/rpmsgX.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bea9b79c2d10fecf7bfa26e212ecefe61d232e39 , < ef828a39d6a7028836eaf37df3ad568c8c2dd6f9
(git)
Affected: bea9b79c2d10fecf7bfa26e212ecefe61d232e39 , < 3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb (git) Affected: bea9b79c2d10fecf7bfa26e212ecefe61d232e39 , < 467233a4ac29b215d492843d067a9f091e6bf0c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/rpmsg_char.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef828a39d6a7028836eaf37df3ad568c8c2dd6f9",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
},
{
"lessThan": "3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
},
{
"lessThan": "467233a4ac29b215d492843d067a9f091e6bf0c5",
"status": "affected",
"version": "bea9b79c2d10fecf7bfa26e212ecefe61d232e39",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/rpmsg_char.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: char: Avoid double destroy of default endpoint\n\nThe rpmsg_dev_remove() in rpmsg_core is the place for releasing\nthis default endpoint.\n\nSo need to avoid destroying the default endpoint in\nrpmsg_chrdev_eptdev_destroy(), this should be the same as\nrpmsg_eptdev_release(). Otherwise there will be double destroy\nissue that ept-\u003erefcount report warning:\n\nrefcount_t: underflow; use-after-free.\n\nCall trace:\n refcount_warn_saturate+0xf8/0x150\n virtio_rpmsg_destroy_ept+0xd4/0xec\n rpmsg_dev_remove+0x60/0x70\n\nThe issue can be reproduced by stopping remoteproc before\nclosing the /dev/rpmsgX."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:41:54.351Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef828a39d6a7028836eaf37df3ad568c8c2dd6f9"
},
{
"url": "https://git.kernel.org/stable/c/3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb"
},
{
"url": "https://git.kernel.org/stable/c/467233a4ac29b215d492843d067a9f091e6bf0c5"
}
],
"title": "rpmsg: char: Avoid double destroy of default endpoint",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50421",
"datePublished": "2025-10-01T11:41:54.351Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-01T11:41:54.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50420 (GCVE-0-2022-50420)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:41 – Updated: 2025-10-02 07:04
VLAI?
Title
crypto: hisilicon/hpre - fix resource leak in remove process
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/hpre - fix resource leak in remove process
In hpre_remove(), when the disable operation of qm sriov failed,
the following logic should continue to be executed to release the
remaining resources that have been allocated, instead of returning
directly, otherwise there will be resource leakage.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < 2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f
(git)
Affected: c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < 4e0de941d252d4e7c985981e78480c8d6f020b64 (git) Affected: c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < cb873c93a7ad27681920bf062ef052fca1e8d5b1 (git) Affected: c8b4b477079d1995cc0a1c10d5cdfd02be938cdf , < 45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/hpre/hpre_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "4e0de941d252d4e7c985981e78480c8d6f020b64",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "cb873c93a7ad27681920bf062ef052fca1e8d5b1",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
},
{
"lessThan": "45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c",
"status": "affected",
"version": "c8b4b477079d1995cc0a1c10d5cdfd02be938cdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/hpre/hpre_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/hpre - fix resource leak in remove process\n\nIn hpre_remove(), when the disable operation of qm sriov failed,\nthe following logic should continue to be executed to release the\nremaining resources that have been allocated, instead of returning\ndirectly, otherwise there will be resource leakage."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:14.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b3e3ecdb402ff1053ee25b598ff21b9ddf4384f"
},
{
"url": "https://git.kernel.org/stable/c/4e0de941d252d4e7c985981e78480c8d6f020b64"
},
{
"url": "https://git.kernel.org/stable/c/cb873c93a7ad27681920bf062ef052fca1e8d5b1"
},
{
"url": "https://git.kernel.org/stable/c/45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c"
}
],
"title": "crypto: hisilicon/hpre - fix resource leak in remove process",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50420",
"datePublished": "2025-10-01T11:41:53.287Z",
"dateReserved": "2025-09-17T14:53:07.004Z",
"dateUpdated": "2025-10-02T07:04:14.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}