Vulnerability-Lookup

alsa-2025:15786

Vulnerability from osv_almalinux

Published

2025-09-15 00:00

Modified

2025-09-15 15:57

Summary

Important: kernel-rt security update

Details

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

kernel: net/sched: Always pass notifications when child class becomes empty (CVE-2025-38350)
kernel: idpf: convert control queue mutex to a spinlock (CVE-2025-38392)
kernel: drm/gem: Acquire references on GEM handles for framebuffers (CVE-2025-38449)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:15786	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-38350	REPORT
	https://access.redhat.com/security/cve/CVE-2025-38392	REPORT
	https://access.redhat.com/security/cve/CVE-2025-38449	REPORT
	https://bugzilla.redhat.com/2382054	REPORT
	https://bugzilla.redhat.com/2383407	REPORT
	https://bugzilla.redhat.com/2383519	REPORT
	https://errata.almalinux.org/8/ALSA-2025-15786.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-rt-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.75.1.rt7.416.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.  \n\nSecurity Fix(es):  \n\n  * kernel: net/sched: Always pass notifications when child class becomes empty (CVE-2025-38350)\n  * kernel: idpf: convert control queue mutex to a spinlock (CVE-2025-38392)\n  * kernel: drm/gem: Acquire references on GEM handles for framebuffers (CVE-2025-38449)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:15786",
  "modified": "2025-09-15T15:57:02Z",
  "published": "2025-09-15T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:15786"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38350"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38392"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38449"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2382054"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2383407"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2383519"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2025-15786.html"
    }
  ],
  "related": [
    "CVE-2025-38350",
    "CVE-2025-38392",
    "CVE-2025-38449"
  ],
  "summary": "Important: kernel-rt security update"
}

CVE-2025-38350 (GCVE-0-2025-38350)

Vulnerability from cvelistv5 – Published: 2025-07-19 06:46 – Updated: 2025-11-03 17:37

Title

net/sched: Always pass notifications when child class becomes empty

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3b290923ad2b23596…
	https://git.kernel.org/stable/c/e9921b57dca05ac5f…
	https://git.kernel.org/stable/c/e269f29e9395527bc…
	https://git.kernel.org/stable/c/7874c9c132e906a52…
	https://git.kernel.org/stable/c/f680a4643c6f71e75…
	https://git.kernel.org/stable/c/a553afd91f55ff39b…
	https://git.kernel.org/stable/c/a44acdd9e84a21198…
	https://git.kernel.org/stable/c/103406b38c600fec1…

Impacted products

Vendor

Product

Version

Linux

Affected: 1034e3310752e8675e313f7271b348914008719a , < 3b290923ad2b23596208c1e29520badef4356a43 (git)
Affected: f9f593e34d2fb67644372c8f7b033bdc622ad228 , < e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7 (git)
Affected: 89c301e929a0db14ebd94b4d97764ce1d6981653 , < e269f29e9395527bc00c213c6b15da04ebb35070 (git)
Affected: f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4 , < 7874c9c132e906a52a187d045995b115973c93fb (git)
Affected: 93c276942e75de0e5bc91576300d292e968f5a02 , < f680a4643c6f71e758d8fe0431a958e9a6a4f59d (git)
Affected: 49b21795b8e5654a7df3d910a12e1060da4c04cf , < a553afd91f55ff39b1e8a1c4989a29394c9e0472 (git)
Affected: 3f981138109f63232a5fb7165938d4c945cc1b9d , < a44acdd9e84a211989ff4b9b92bf3545d8456ad5 (git)
Affected: 3f981138109f63232a5fb7165938d4c945cc1b9d , < 103406b38c600fec1fe375a77b27d87e314aea09 (git)
Affected: 3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335 (git)

Linux

Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:00.889Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3b290923ad2b23596208c1e29520badef4356a43",
              "status": "affected",
              "version": "1034e3310752e8675e313f7271b348914008719a",
              "versionType": "git"
            },
            {
              "lessThan": "e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7",
              "status": "affected",
              "version": "f9f593e34d2fb67644372c8f7b033bdc622ad228",
              "versionType": "git"
            },
            {
              "lessThan": "e269f29e9395527bc00c213c6b15da04ebb35070",
              "status": "affected",
              "version": "89c301e929a0db14ebd94b4d97764ce1d6981653",
              "versionType": "git"
            },
            {
              "lessThan": "7874c9c132e906a52a187d045995b115973c93fb",
              "status": "affected",
              "version": "f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4",
              "versionType": "git"
            },
            {
              "lessThan": "f680a4643c6f71e758d8fe0431a958e9a6a4f59d",
              "status": "affected",
              "version": "93c276942e75de0e5bc91576300d292e968f5a02",
              "versionType": "git"
            },
            {
              "lessThan": "a553afd91f55ff39b1e8a1c4989a29394c9e0472",
              "status": "affected",
              "version": "49b21795b8e5654a7df3d910a12e1060da4c04cf",
              "versionType": "git"
            },
            {
              "lessThan": "a44acdd9e84a211989ff4b9b92bf3545d8456ad5",
              "status": "affected",
              "version": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "versionType": "git"
            },
            {
              "lessThan": "103406b38c600fec1fe375a77b27d87e314aea09",
              "status": "affected",
              "version": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.4.294",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.10.238",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.15.185",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Always pass notifications when child class becomes empty\n\nCertain classful qdiscs may invoke their classes\u0027 dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\n\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent\u0027s parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\n\n    tc qdisc add dev lo root handle 1: drr\n    tc filter add dev lo parent 1: basic classid 1:1\n    tc class add dev lo parent 1: classid 1:1 drr\n    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\n    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\n    tc qdisc add dev lo parent 2:1 handle 3: netem\n    tc qdisc add dev lo parent 3:1 handle 4: blackhole\n\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n    tc class delete dev lo classid 1:1\n    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\n\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:19:38.148Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070"
        },
        {
          "url": "https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5"
        },
        {
          "url": "https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09"
        }
      ],
      "title": "net/sched: Always pass notifications when child class becomes empty",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38350",
    "datePublished": "2025-07-19T06:46:29.849Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-11-03T17:37:00.889Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38449 (GCVE-0-2025-38449)

Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2026-01-02 15:30

Title

drm/gem: Acquire references on GEM handles for framebuffers

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below. [ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710 [ 157.065567] ? dma_buf_vmap+0x224/0x430 [ 157.069446] ? __warn.cold+0x58/0xe4 [ 157.073061] ? dma_buf_vmap+0x224/0x430 [ 157.077111] ? report_bug+0x1dd/0x390 [ 157.080842] ? handle_bug+0x5e/0xa0 [ 157.084389] ? exc_invalid_op+0x14/0x50 [ 157.088291] ? asm_exc_invalid_op+0x16/0x20 [ 157.092548] ? dma_buf_vmap+0x224/0x430 [ 157.096663] ? dma_resv_get_singleton+0x6d/0x230 [ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10 [ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10 [ 157.110697] drm_gem_shmem_vmap+0x74/0x710 [ 157.114866] drm_gem_vmap+0xa9/0x1b0 [ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0 [ 157.123086] drm_gem_fb_vmap+0xab/0x300 [ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10 [ 157.133032] ? lockdep_init_map_type+0x19d/0x880 [ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0 [ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180 [ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]--- Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references. Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before. v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb4c956a15f8b7f87…
	https://git.kernel.org/stable/c/08480e285c6a82ce6…
	https://git.kernel.org/stable/c/3cf520d9860d4ec9f…
	https://git.kernel.org/stable/c/5307dce878d4126e1…

Impacted products

Vendor

Product

Version

Linux

Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < cb4c956a15f8b7f870649454771fc3761f504b5f (git)
Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < 08480e285c6a82ce689008d643e4a51db0aaef8b (git)
Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < 3cf520d9860d4ec9f7f32068825da31f18dd3f25 (git)
Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < 5307dce878d4126e1b375587318955bd019c3741 (git)

Linux

Affected: 3.12
Unaffected: 0 , < 3.12 (semver)
Unaffected: 6.6.99 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.15.7 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_gem.c",
            "drivers/gpu/drm/drm_gem_framebuffer_helper.c",
            "drivers/gpu/drm/drm_internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb4c956a15f8b7f870649454771fc3761f504b5f",
              "status": "affected",
              "version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
              "versionType": "git"
            },
            {
              "lessThan": "08480e285c6a82ce689008d643e4a51db0aaef8b",
              "status": "affected",
              "version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
              "versionType": "git"
            },
            {
              "lessThan": "3cf520d9860d4ec9f7f32068825da31f18dd3f25",
              "status": "affected",
              "version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
              "versionType": "git"
            },
            {
              "lessThan": "5307dce878d4126e1b375587318955bd019c3741",
              "status": "affected",
              "version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_gem.c",
            "drivers/gpu/drm/drm_gem_framebuffer_helper.c",
            "drivers/gpu/drm/drm_internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Acquire references on GEM handles for framebuffers\n\nA GEM handle can be released while the GEM buffer object is attached\nto a DRM framebuffer. This leads to the release of the dma-buf backing\nthe buffer object, if any. [1] Trying to use the framebuffer in further\nmode-setting operations leads to a segmentation fault. Most easily\nhappens with driver that use shadow planes for vmap-ing the dma-buf\nduring a page flip. An example is shown below.\n\n[  156.791968] ------------[ cut here ]------------\n[  156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430\n[...]\n[  156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430\n[  157.043420] Call Trace:\n[  157.045898]  \u003cTASK\u003e\n[  157.048030]  ? show_trace_log_lvl+0x1af/0x2c0\n[  157.052436]  ? show_trace_log_lvl+0x1af/0x2c0\n[  157.056836]  ? show_trace_log_lvl+0x1af/0x2c0\n[  157.061253]  ? drm_gem_shmem_vmap+0x74/0x710\n[  157.065567]  ? dma_buf_vmap+0x224/0x430\n[  157.069446]  ? __warn.cold+0x58/0xe4\n[  157.073061]  ? dma_buf_vmap+0x224/0x430\n[  157.077111]  ? report_bug+0x1dd/0x390\n[  157.080842]  ? handle_bug+0x5e/0xa0\n[  157.084389]  ? exc_invalid_op+0x14/0x50\n[  157.088291]  ? asm_exc_invalid_op+0x16/0x20\n[  157.092548]  ? dma_buf_vmap+0x224/0x430\n[  157.096663]  ? dma_resv_get_singleton+0x6d/0x230\n[  157.101341]  ? __pfx_dma_buf_vmap+0x10/0x10\n[  157.105588]  ? __pfx_dma_resv_get_singleton+0x10/0x10\n[  157.110697]  drm_gem_shmem_vmap+0x74/0x710\n[  157.114866]  drm_gem_vmap+0xa9/0x1b0\n[  157.118763]  drm_gem_vmap_unlocked+0x46/0xa0\n[  157.123086]  drm_gem_fb_vmap+0xab/0x300\n[  157.126979]  drm_atomic_helper_prepare_planes.part.0+0x487/0xb10\n[  157.133032]  ? lockdep_init_map_type+0x19d/0x880\n[  157.137701]  drm_atomic_helper_commit+0x13d/0x2e0\n[  157.142671]  ? drm_atomic_nonblocking_commit+0xa0/0x180\n[  157.147988]  drm_mode_atomic_ioctl+0x766/0xe40\n[...]\n[  157.346424] ---[ end trace 0000000000000000 ]---\n\nAcquiring GEM handles for the framebuffer\u0027s GEM buffer objects prevents\nthis from happening. The framebuffer\u0027s cleanup later puts the handle\nreferences.\n\nCommit 1a148af06000 (\"drm/gem-shmem: Use dma_buf from GEM object\ninstance\") triggers the segmentation fault easily by using the dma-buf\nfield more widely. The underlying issue with reference counting has\nbeen present before.\n\nv2:\n- acquire the handle instead of the BO (Christian)\n- fix comment style (Christian)\n- drop the Fixes tag (Christian)\n- rename err_ gotos\n- add missing Link tag"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:30:38.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb4c956a15f8b7f870649454771fc3761f504b5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/08480e285c6a82ce689008d643e4a51db0aaef8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cf520d9860d4ec9f7f32068825da31f18dd3f25"
        },
        {
          "url": "https://git.kernel.org/stable/c/5307dce878d4126e1b375587318955bd019c3741"
        }
      ],
      "title": "drm/gem: Acquire references on GEM handles for framebuffers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38449",
    "datePublished": "2025-07-25T15:27:30.702Z",
    "dateReserved": "2025-04-16T04:51:24.018Z",
    "dateUpdated": "2026-01-02T15:30:38.510Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38392 (GCVE-0-2025-38392)

Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2025-07-28 04:20

Title

idpf: convert control queue mutex to a spinlock

Summary

In the Linux kernel, the following vulnerability has been resolved: idpf: convert control queue mutex to a spinlock With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated on module load: [ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 [ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager [ 324.701689] preempt_count: 201, expected: 0 [ 324.701693] RCU nest depth: 0, expected: 0 [ 324.701697] 2 locks held by NetworkManager/1582: [ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0 [ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870 [ 324.701749] Preemption disabled at: [ 324.701752] [<ffffffff9cd23b9d>] __dev_open+0x3dd/0x870 [ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary) [ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022 [ 324.701774] Call Trace: [ 324.701777] <TASK> [ 324.701779] dump_stack_lvl+0x5d/0x80 [ 324.701788] ? __dev_open+0x3dd/0x870 [ 324.701793] __might_resched.cold+0x1ef/0x23d <..> [ 324.701818] __mutex_lock+0x113/0x1b80 <..> [ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf] [ 324.701935] ? kasan_save_track+0x14/0x30 [ 324.701941] idpf_mb_clean+0x143/0x380 [idpf] <..> [ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf] [ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf] [ 324.702021] ? rcu_is_watching+0x12/0xc0 [ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf] <..> [ 324.702122] __hw_addr_sync_dev+0x1cf/0x300 [ 324.702126] ? find_held_lock+0x32/0x90 [ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf] [ 324.702152] __dev_open+0x3f8/0x870 [ 324.702159] ? __pfx___dev_open+0x10/0x10 [ 324.702174] __dev_change_flags+0x443/0x650 <..> [ 324.702208] netif_change_flags+0x80/0x160 [ 324.702218] do_setlink.isra.0+0x16a0/0x3960 <..> [ 324.702349] rtnl_newlink+0x12fd/0x21e0 The sequence is as follows: rtnl_newlink()-> __dev_change_flags()-> __dev_open()-> dev_set_rx_mode() - > # disables BH and grabs "dev->addr_list_lock" idpf_set_rx_mode() -> # proceed only if VIRTCHNL2_CAP_MACFILTER is ON __dev_uc_sync() -> idpf_add_mac_filter -> idpf_add_del_mac_filters -> idpf_send_mb_msg() -> idpf_mb_clean() -> idpf_ctlq_clean_sq() # mutex_lock(cq_lock) Fix by converting cq_lock to a spinlock. All operations under the new lock are safe except freeing the DMA memory, which may use vunmap(). Fix by requesting a contiguous physical memory for the DMA mapping.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9a36715cd6bc6a6f1…
	https://git.kernel.org/stable/c/dc6c3c2c9dfdaa3a3…
	https://git.kernel.org/stable/c/b2beb5bb2cd90d793…

Impacted products

Vendor

Product

Version

Linux

Affected: a251eee62133774cf35ff829041377e721ef9c8c , < 9a36715cd6bc6a6f16230e19a7f947bab34b3fe5 (git)
Affected: a251eee62133774cf35ff829041377e721ef9c8c , < dc6c3c2c9dfdaa3a3357f59a80a2904677a71a9a (git)
Affected: a251eee62133774cf35ff829041377e721ef9c8c , < b2beb5bb2cd90d7939e470ed4da468683f41baa3 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_controlq.c",
            "drivers/net/ethernet/intel/idpf/idpf_controlq_api.h",
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a36715cd6bc6a6f16230e19a7f947bab34b3fe5",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            },
            {
              "lessThan": "dc6c3c2c9dfdaa3a3357f59a80a2904677a71a9a",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            },
            {
              "lessThan": "b2beb5bb2cd90d7939e470ed4da468683f41baa3",
              "status": "affected",
              "version": "a251eee62133774cf35ff829041377e721ef9c8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_controlq.c",
            "drivers/net/ethernet/intel/idpf/idpf_controlq_api.h",
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: convert control queue mutex to a spinlock\n\nWith VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated\non module load:\n\n[  324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578\n[  324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager\n[  324.701689] preempt_count: 201, expected: 0\n[  324.701693] RCU nest depth: 0, expected: 0\n[  324.701697] 2 locks held by NetworkManager/1582:\n[  324.701702]  #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0\n[  324.701730]  #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870\n[  324.701749] Preemption disabled at:\n[  324.701752] [\u003cffffffff9cd23b9d\u003e] __dev_open+0x3dd/0x870\n[  324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)\n[  324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022\n[  324.701774] Call Trace:\n[  324.701777]  \u003cTASK\u003e\n[  324.701779]  dump_stack_lvl+0x5d/0x80\n[  324.701788]  ? __dev_open+0x3dd/0x870\n[  324.701793]  __might_resched.cold+0x1ef/0x23d\n\u003c..\u003e\n[  324.701818]  __mutex_lock+0x113/0x1b80\n\u003c..\u003e\n[  324.701917]  idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]\n[  324.701935]  ? kasan_save_track+0x14/0x30\n[  324.701941]  idpf_mb_clean+0x143/0x380 [idpf]\n\u003c..\u003e\n[  324.701991]  idpf_send_mb_msg+0x111/0x720 [idpf]\n[  324.702009]  idpf_vc_xn_exec+0x4cc/0x990 [idpf]\n[  324.702021]  ? rcu_is_watching+0x12/0xc0\n[  324.702035]  idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]\n\u003c..\u003e\n[  324.702122]  __hw_addr_sync_dev+0x1cf/0x300\n[  324.702126]  ? find_held_lock+0x32/0x90\n[  324.702134]  idpf_set_rx_mode+0x317/0x390 [idpf]\n[  324.702152]  __dev_open+0x3f8/0x870\n[  324.702159]  ? __pfx___dev_open+0x10/0x10\n[  324.702174]  __dev_change_flags+0x443/0x650\n\u003c..\u003e\n[  324.702208]  netif_change_flags+0x80/0x160\n[  324.702218]  do_setlink.isra.0+0x16a0/0x3960\n\u003c..\u003e\n[  324.702349]  rtnl_newlink+0x12fd/0x21e0\n\nThe sequence is as follows:\n\trtnl_newlink()-\u003e\n\t__dev_change_flags()-\u003e\n\t__dev_open()-\u003e\n\tdev_set_rx_mode() - \u003e  # disables BH and grabs \"dev-\u003eaddr_list_lock\"\n\tidpf_set_rx_mode() -\u003e  # proceed only if VIRTCHNL2_CAP_MACFILTER is ON\n\t__dev_uc_sync() -\u003e\n\tidpf_add_mac_filter -\u003e\n\tidpf_add_del_mac_filters -\u003e\n\tidpf_send_mb_msg() -\u003e\n\tidpf_mb_clean() -\u003e\n\tidpf_ctlq_clean_sq()   # mutex_lock(cq_lock)\n\nFix by converting cq_lock to a spinlock. All operations under the new\nlock are safe except freeing the DMA memory, which may use vunmap(). Fix\nby requesting a contiguous physical memory for the DMA mapping."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:56.271Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a36715cd6bc6a6f16230e19a7f947bab34b3fe5"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc6c3c2c9dfdaa3a3357f59a80a2904677a71a9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2beb5bb2cd90d7939e470ed4da468683f41baa3"
        }
      ],
      "title": "idpf: convert control queue mutex to a spinlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38392",
    "datePublished": "2025-07-25T12:53:37.175Z",
    "dateReserved": "2025-04-16T04:51:24.011Z",
    "dateUpdated": "2025-07-28T04:20:56.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2025:15786

Vulnerability from osv_almalinux

CVE-2025-38350 (GCVE-0-2025-38350)

CVE-2025-38449 (GCVE-0-2025-38449)

CVE-2025-38392 (GCVE-0-2025-38392)

Tags

Sightings

Nomenclature