Vulnerability-Lookup

alsa-2026:0759

Vulnerability from osv_almalinux

Published

2026-01-19 00:00

Modified

2026-01-20 08:07

Summary

Important: kernel security update

Details

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

kernel: smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051)
kernel: smb: client: let recv_done verify data_offset, data_length and remaining_data_length (CVE-2025-39933)
kernel: drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CVE-2023-53552)
kernel: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (CVE-2025-40096)
kernel: net: atlantic: fix fragment overflow handling in RX path (CVE-2025-68301)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:0759	ADVISORY
	https://access.redhat.com/security/cve/CVE-2023-53552	REPORT
	https://access.redhat.com/security/cve/CVE-2025-38051	REPORT
	https://access.redhat.com/security/cve/CVE-2025-39933	REPORT
	https://access.redhat.com/security/cve/CVE-2025-40096	REPORT
	https://access.redhat.com/security/cve/CVE-2025-68301	REPORT
	https://bugzilla.redhat.com/2373329	REPORT
	https://bugzilla.redhat.com/2401432	REPORT
	https://bugzilla.redhat.com/2401514	REPORT
	https://bugzilla.redhat.com/2407333	REPORT
	https://bugzilla.redhat.com/2422836	REPORT
	https://errata.almalinux.org/8/ALSA-2026-0759.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "bpftool"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-abi-stablelists"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-cross-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-debug-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-tools-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "kernel-zfcpdump-modules-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "python3-perf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0-553.94.1.el8_10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The kernel packages contain the Linux kernel, the core of any Linux operating system.  \n\nSecurity Fix(es):  \n\n  * kernel: smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051)\n  * kernel: smb: client: let recv_done verify data_offset, data_length and remaining_data_length (CVE-2025-39933)\n  * kernel: drm/i915: mark requests for GuC virtual engines to avoid use-after-free (CVE-2023-53552)\n  * kernel: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies (CVE-2025-40096)\n  * kernel: net: atlantic: fix fragment overflow handling in RX path (CVE-2025-68301)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:0759",
  "modified": "2026-01-20T08:07:16Z",
  "published": "2026-01-19T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:0759"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-53552"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-38051"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-39933"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-40096"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-68301"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2373329"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2401432"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2401514"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2407333"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2422836"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-0759.html"
    }
  ],
  "related": [
    "CVE-2025-38051",
    "CVE-2025-39933",
    "CVE-2023-53552",
    "CVE-2025-40096",
    "CVE-2025-68301"
  ],
  "summary": "Important: kernel security update"
}

CVE-2023-53552 (GCVE-0-2023-53552)

Vulnerability from cvelistv5 – Published: 2025-10-04 15:16 – Updated: 2025-10-04 15:16

Title

drm/i915: mark requests for GuC virtual engines to avoid use-after-free

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references from the request past their completion. On the other side on fence release we need to know if rq->engine is valid and points to hw engine (true for non-virtual requests). To make it possible extra bit has been added to rq->execution_mask, for marking virtual engines. (cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8017a27cec32eac8c…
	https://git.kernel.org/stable/c/7fb464d52fa41c31a…
	https://git.kernel.org/stable/c/5eefc5307c983b593…

Impacted products

Vendor

Product

Version

Linux

Affected: bcb9aa45d5a0e11ef91245330c53cde214d15e8d , < 8017a27cec32eac8c8f9430b0a3055840136b856 (git)
Affected: bcb9aa45d5a0e11ef91245330c53cde214d15e8d , < 7fb464d52fa41c31a6fd1ad82888e67c65935d94 (git)
Affected: bcb9aa45d5a0e11ef91245330c53cde214d15e8d , < 5eefc5307c983b59344a4cb89009819f580c84fa (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.54 , ≤ 6.1.* (semver)
Unaffected: 6.5.4 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/gt/intel_engine_types.h",
            "drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c",
            "drivers/gpu/drm/i915/i915_request.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8017a27cec32eac8c8f9430b0a3055840136b856",
              "status": "affected",
              "version": "bcb9aa45d5a0e11ef91245330c53cde214d15e8d",
              "versionType": "git"
            },
            {
              "lessThan": "7fb464d52fa41c31a6fd1ad82888e67c65935d94",
              "status": "affected",
              "version": "bcb9aa45d5a0e11ef91245330c53cde214d15e8d",
              "versionType": "git"
            },
            {
              "lessThan": "5eefc5307c983b59344a4cb89009819f580c84fa",
              "status": "affected",
              "version": "bcb9aa45d5a0e11ef91245330c53cde214d15e8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/gt/intel_engine_types.h",
            "drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c",
            "drivers/gpu/drm/i915/i915_request.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.54",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: mark requests for GuC virtual engines to avoid use-after-free\n\nReferences to i915_requests may be trapped by userspace inside a\nsync_file or dmabuf (dma-resv) and held indefinitely across different\nproceses. To counter-act the memory leaks, we try to not to keep\nreferences from the request past their completion.\nOn the other side on fence release we need to know if rq-\u003eengine\nis valid and points to hw engine (true for non-virtual requests).\nTo make it possible extra bit has been added to rq-\u003eexecution_mask,\nfor marking virtual engines.\n\n(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-04T15:16:58.429Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8017a27cec32eac8c8f9430b0a3055840136b856"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fb464d52fa41c31a6fd1ad82888e67c65935d94"
        },
        {
          "url": "https://git.kernel.org/stable/c/5eefc5307c983b59344a4cb89009819f580c84fa"
        }
      ],
      "title": "drm/i915: mark requests for GuC virtual engines to avoid use-after-free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53552",
    "datePublished": "2025-10-04T15:16:58.429Z",
    "dateReserved": "2025-10-04T15:14:15.922Z",
    "dateUpdated": "2025-10-04T15:16:58.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-39933 (GCVE-0-2025-39933)

Vulnerability from cvelistv5 – Published: 2025-10-04 07:30 – Updated: 2025-10-04 07:30

Title

smb: client: let recv_done verify data_offset, data_length and remaining_data_length

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: let recv_done verify data_offset, data_length and remaining_data_length This is inspired by the related server fixes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/581fb78e0388b7891…
	https://git.kernel.org/stable/c/f57e53ea252363234…

Impacted products

Vendor

Product

Version

Linux

Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < 581fb78e0388b78911b0c920e4073737090c8b5f (git)
Affected: f198186aa9bbd60fae7a2061f4feec614d880299 , < f57e53ea252363234f86674db475839e5b87102e (git)

Linux

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 6.16.9 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smbdirect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "581fb78e0388b78911b0c920e4073737090c8b5f",
              "status": "affected",
              "version": "f198186aa9bbd60fae7a2061f4feec614d880299",
              "versionType": "git"
            },
            {
              "lessThan": "f57e53ea252363234f86674db475839e5b87102e",
              "status": "affected",
              "version": "f198186aa9bbd60fae7a2061f4feec614d880299",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smbdirect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.9",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: let recv_done verify data_offset, data_length and remaining_data_length\n\nThis is inspired by the related server fixes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-04T07:30:57.496Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/581fb78e0388b78911b0c920e4073737090c8b5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f57e53ea252363234f86674db475839e5b87102e"
        }
      ],
      "title": "smb: client: let recv_done verify data_offset, data_length and remaining_data_length",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39933",
    "datePublished": "2025-10-04T07:30:57.496Z",
    "dateReserved": "2025-04-16T07:20:57.148Z",
    "dateUpdated": "2025-10-04T07:30:57.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40096 (GCVE-0-2025-40096)

Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:17

Title

drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2") landed, with its fixup of commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4c38a63ae12ecc937…
	https://git.kernel.org/stable/c/57239762aa90ad768…
	https://git.kernel.org/stable/c/e5e3eb2aff92994ee…
	https://git.kernel.org/stable/c/fdfb47e85af1e11ec…
	https://git.kernel.org/stable/c/5801e65206b065b0b…

Impacted products

Vendor

Product

Version

Linux

Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < 4c38a63ae12ecc9370a7678077bde2d61aa80e9c (git)
Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < 57239762aa90ad768dac055021f27705dae73344 (git)
Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11 (git)
Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < fdfb47e85af1e11ec822c82739dde2dd8dff5115 (git)
Affected: 963d0b3569354230f6e2c36a286ef270a8901878 , < 5801e65206b065b0b2af032f7f1eef222aa2fd83 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.114 , ≤ 6.6.* (semver)
Unaffected: 6.12.55 , ≤ 6.12.* (semver)
Unaffected: 6.17.5 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/scheduler/sched_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c38a63ae12ecc9370a7678077bde2d61aa80e9c",
              "status": "affected",
              "version": "963d0b3569354230f6e2c36a286ef270a8901878",
              "versionType": "git"
            },
            {
              "lessThan": "57239762aa90ad768dac055021f27705dae73344",
              "status": "affected",
              "version": "963d0b3569354230f6e2c36a286ef270a8901878",
              "versionType": "git"
            },
            {
              "lessThan": "e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11",
              "status": "affected",
              "version": "963d0b3569354230f6e2c36a286ef270a8901878",
              "versionType": "git"
            },
            {
              "lessThan": "fdfb47e85af1e11ec822c82739dde2dd8dff5115",
              "status": "affected",
              "version": "963d0b3569354230f6e2c36a286ef270a8901878",
              "versionType": "git"
            },
            {
              "lessThan": "5801e65206b065b0b2af032f7f1eef222aa2fd83",
              "status": "affected",
              "version": "963d0b3569354230f6e2c36a286ef270a8901878",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/scheduler/sched_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies\n\nWhen adding dependencies with drm_sched_job_add_dependency(), that\nfunction consumes the fence reference both on success and failure, so in\nthe latter case the dma_fence_put() on the error path (xarray failed to\nexpand) is a double free.\n\nInterestingly this bug appears to have been present ever since\ncommit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code\nback then looked like this:\n\ndrm_sched_job_add_implicit_dependencies():\n...\n       for (i = 0; i \u003c fence_count; i++) {\n               ret = drm_sched_job_add_dependency(job, fences[i]);\n               if (ret)\n                       break;\n       }\n\n       for (; i \u003c fence_count; i++)\n               dma_fence_put(fences[i]);\n\nWhich means for the failing \u0027i\u0027 the dma_fence_put was already a double\nfree. Possibly there were no users at that time, or the test cases were\ninsufficient to hit it.\n\nThe bug was then only noticed and fixed after\ncommit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\")\nlanded, with its fixup of\ncommit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\").\n\nAt that point it was a slightly different flavour of a double free, which\ncommit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\")\nnoticed and attempted to fix.\n\nBut it only moved the double free from happening inside the\ndrm_sched_job_add_dependency(), when releasing the reference not yet\nobtained, to the caller, when releasing the reference already released by\nthe former in the failure case.\n\nAs such it is not easy to identify the right target for the fixes tag so\nlets keep it simple and just continue the chain.\n\nWhile fixing we also improve the comment and explain the reason for taking\nthe reference and not dropping it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:17:56.391Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c38a63ae12ecc9370a7678077bde2d61aa80e9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/57239762aa90ad768dac055021f27705dae73344"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdfb47e85af1e11ec822c82739dde2dd8dff5115"
        },
        {
          "url": "https://git.kernel.org/stable/c/5801e65206b065b0b2af032f7f1eef222aa2fd83"
        }
      ],
      "title": "drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40096",
    "datePublished": "2025-10-30T09:48:03.954Z",
    "dateReserved": "2025-04-16T07:20:57.163Z",
    "dateUpdated": "2025-12-01T06:17:56.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68301 (GCVE-0-2025-68301)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

net: atlantic: fix fragment overflow handling in RX path

Summary

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. And reusing the existing check to prevent the overflow earlier in the code path. This crash occurred in production with an Aquantia AQC113 10G NIC. Stack trace from production environment: ``` RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0 Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89 ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90 c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48 89 fa 83 RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287 RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX: fffffffe0a0c8000 RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI: 0000000000037a40 RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000021 R10: 0000000000000848 R11: 0000000000000000 R12: ffffa9bec02a8e24 R13: ffff925ad8615570 R14: 0000000000000000 R15: ffff925b22e80a00 FS: 0000000000000000(0000) GS:ffff925e47880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4: 0000000000f72ef0 PKRU: 55555554 Call Trace: <IRQ> aq_ring_rx_clean+0x175/0xe60 [atlantic] ? aq_ring_rx_clean+0x14d/0xe60 [atlantic] ? aq_ring_tx_clean+0xdf/0x190 [atlantic] ? kmem_cache_free+0x348/0x450 ? aq_vec_poll+0x81/0x1d0 [atlantic] ? __napi_poll+0x28/0x1c0 ? net_rx_action+0x337/0x420 ``` Changes in v4: - Add Fixes: tag to satisfy patch validation requirements. Changes in v3: - Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/34147477eeab24077…
	https://git.kernel.org/stable/c/b0c4d5135b04ea100…
	https://git.kernel.org/stable/c/5d6051ea1b0417ae2…
	https://git.kernel.org/stable/c/3be37c3c96b164623…
	https://git.kernel.org/stable/c/3fd2105e1b7e041cc…
	https://git.kernel.org/stable/c/64e47cd1fd631a21b…
	https://git.kernel.org/stable/c/5ffcb7b890f615412…

Impacted products

Vendor

Product

Version

Linux

Affected: cd66ab20a8f84474564a68fffffd37d998f6c340 , < 34147477eeab24077fcfe9649e282849347d760c (git)
Affected: 948ddbdc56636773401f2cb9c7a932eb9c43ccfd , < b0c4d5135b04ea100988e2458c98f2d8564cda16 (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 5d6051ea1b0417ae2f06a8440d22e48fbc8f8997 (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 3be37c3c96b16462394fcb8e15e757c691377038 (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 3fd2105e1b7e041cc24be151c9a31a14d5fc50ab (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 64e47cd1fd631a21bf5a630cebefec6c8fc381cd (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 5ffcb7b890f61541201461580bb6622ace405aec (git)
Affected: dd4fb02847e737cc38ca75e708b1a836fba45faf (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "34147477eeab24077fcfe9649e282849347d760c",
              "status": "affected",
              "version": "cd66ab20a8f84474564a68fffffd37d998f6c340",
              "versionType": "git"
            },
            {
              "lessThan": "b0c4d5135b04ea100988e2458c98f2d8564cda16",
              "status": "affected",
              "version": "948ddbdc56636773401f2cb9c7a932eb9c43ccfd",
              "versionType": "git"
            },
            {
              "lessThan": "5d6051ea1b0417ae2f06a8440d22e48fbc8f8997",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "3be37c3c96b16462394fcb8e15e757c691377038",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "3fd2105e1b7e041cc24be151c9a31a14d5fc50ab",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "64e47cd1fd631a21bf5a630cebefec6c8fc381cd",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "5ffcb7b890f61541201461580bb6622ace405aec",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dd4fb02847e737cc38ca75e708b1a836fba45faf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.118",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.42",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix fragment overflow handling in RX path\n\nThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)\nfragments when handling large multi-descriptor packets. This causes an\nout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.\n\nThe issue occurs because the driver doesn\u0027t check the total number of\nfragments before calling skb_add_rx_frag(). When a packet requires more\nthan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.\n\nFix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\nthen all fragments are accounted for. And reusing the existing check to\nprevent the overflow earlier in the code path.\n\nThis crash occurred in production with an Aquantia AQC113 10G NIC.\n\nStack trace from production environment:\n```\nRIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0\nCode: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89\nca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90\nc8 00 00 00 \u003c48\u003e 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48\n89 fa 83\nRSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287\nRAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:\nfffffffe0a0c8000\nRDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:\n0000000000037a40\nRBP: 0000000000000024 R08: 0000000000000000 R09:\n0000000000000021\nR10: 0000000000000848 R11: 0000000000000000 R12:\nffffa9bec02a8e24\nR13: ffff925ad8615570 R14: 0000000000000000 R15:\nffff925b22e80a00\nFS: 0000000000000000(0000)\nGS:ffff925e47880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:\n0000000000f72ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\naq_ring_rx_clean+0x175/0xe60 [atlantic]\n? aq_ring_rx_clean+0x14d/0xe60 [atlantic]\n? aq_ring_tx_clean+0xdf/0x190 [atlantic]\n? kmem_cache_free+0x348/0x450\n? aq_vec_poll+0x81/0x1d0 [atlantic]\n? __napi_poll+0x28/0x1c0\n? net_rx_action+0x337/0x420\n```\n\nChanges in v4:\n- Add Fixes: tag to satisfy patch validation requirements.\n\nChanges in v3:\n- Fix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\n  then all fragments are accounted for."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:19.688Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997"
        },
        {
          "url": "https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec"
        }
      ],
      "title": "net: atlantic: fix fragment overflow handling in RX path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68301",
    "datePublished": "2025-12-16T15:06:19.688Z",
    "dateReserved": "2025-12-16T14:48:05.293Z",
    "dateUpdated": "2025-12-16T15:06:19.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38051 (GCVE-0-2025-38051)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2025-11-03 17:33

Title

smb: client: Fix use-after-free in cifs_fill_dirent

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x640 kasan_report+0xb8/0xf0 cifs_fill_dirent+0xb03/0xb60 [cifs] cifs_readdir+0x12cb/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f996f64b9f9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 </TASK> Allocated by task 408: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0x117/0x3d0 mempool_alloc_noprof+0xf2/0x2c0 cifs_buf_get+0x36/0x80 [cifs] allocate_buffers+0x1d2/0x330 [cifs] cifs_demultiplex_thread+0x22b/0x2690 [cifs] kthread+0x394/0x720 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 342979: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0x2b8/0x500 cifs_buf_release+0x3c/0x70 [cifs] cifs_readdir+0x1c97/0x3190 [cifs] iterate_dir+0x1a1/0x520 __x64_sys_getdents64+0x134/0x220 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff8880099b8000 which belongs to the cache cifs_request of size 16588 The buggy address is located 412 bytes inside of freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== POC is available in the link [1]. The problem triggering process is as follows: Process 1 Process 2 ----------------------------------- ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/aee067e88d61eb72e…
	https://git.kernel.org/stable/c/a24c2f05ac3c5b0aa…
	https://git.kernel.org/stable/c/1b197931fbc821bc7…
	https://git.kernel.org/stable/c/c8623231e0edfcccb…
	https://git.kernel.org/stable/c/73cadde98f67f76c5…
	https://git.kernel.org/stable/c/9bea368648ac46f85…
	https://git.kernel.org/stable/c/9c9aafbacc183598f…
	https://git.kernel.org/stable/c/a7a8fe56e932a36f4…

Impacted products

Vendor

Product

Version

Linux

Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < aee067e88d61eb72e966f094e4749c6b14e7008f (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 1b197931fbc821bc7e9e91bf619400db563e3338 (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < c8623231e0edfcccb7cc6add0288fa0f0594282f (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 73cadde98f67f76c5eba00ac0b72c453383cec8b (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9bea368648ac46f8593a780760362e40291d22a9 (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9c9aafbacc183598f064902365e107b5e856531f (git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a7a8fe56e932a36f43e031b398aef92341bf5ea0 (git)
Affected: 0f3da51e7046e2eb28992ba65c22d058f571356c (git)

Linux

Affected: 2.6.28
Unaffected: 0 , < 2.6.28 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:23.156Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/readdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aee067e88d61eb72e966f094e4749c6b14e7008f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "1b197931fbc821bc7e9e91bf619400db563e3338",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "c8623231e0edfcccb7cc6add0288fa0f0594282f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "73cadde98f67f76c5eba00ac0b72c453383cec8b",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "9bea368648ac46f8593a780760362e40291d22a9",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "9c9aafbacc183598f064902365e107b5e856531f",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "lessThan": "a7a8fe56e932a36f43e031b398aef92341bf5ea0",
              "status": "affected",
              "version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0f3da51e7046e2eb28992ba65c22d058f571356c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/readdir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.28"
            },
            {
              "lessThan": "2.6.28",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.28",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.27.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x53/0x70\n  print_report+0xce/0x640\n  kasan_report+0xb8/0xf0\n  cifs_fill_dirent+0xb03/0xb60 [cifs]\n  cifs_readdir+0x12cb/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\n f0 ff ff  0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n  \u003c/TASK\u003e\n\n Allocated by task 408:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  __kasan_slab_alloc+0x6e/0x70\n  kmem_cache_alloc_noprof+0x117/0x3d0\n  mempool_alloc_noprof+0xf2/0x2c0\n  cifs_buf_get+0x36/0x80 [cifs]\n  allocate_buffers+0x1d2/0x330 [cifs]\n  cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n  kthread+0x394/0x720\n  ret_from_fork+0x34/0x70\n  ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n  kasan_save_stack+0x20/0x40\n  kasan_save_track+0x14/0x30\n  kasan_save_free_info+0x3b/0x60\n  __kasan_slab_free+0x37/0x50\n  kmem_cache_free+0x2b8/0x500\n  cifs_buf_release+0x3c/0x70 [cifs]\n  cifs_readdir+0x1c97/0x3190 [cifs]\n  iterate_dir+0x1a1/0x520\n  __x64_sys_getdents64+0x134/0x220\n  do_syscall_64+0x4b/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n  which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n  freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003effff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n                             ^\n  ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n  ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1                       Process 2\n-----------------------------------\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:32.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"
        }
      ],
      "title": "smb: client: Fix use-after-free in cifs_fill_dirent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38051",
    "datePublished": "2025-06-18T09:33:32.805Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-11-03T17:33:23.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:0759

Vulnerability from osv_almalinux

CVE-2023-53552 (GCVE-0-2023-53552)

CVE-2025-39933 (GCVE-0-2025-39933)

CVE-2025-40096 (GCVE-0-2025-40096)

CVE-2025-68301 (GCVE-0-2025-68301)

CVE-2025-38051 (GCVE-0-2025-38051)

Tags

Sightings

Nomenclature