Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0482
Vulnerability from certfr_avis - Published: 2025-06-06 - Updated: 2025-06-06
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Micro 6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-21980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21980"
},
{
"name": "CVE-2024-53042",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53042"
},
{
"name": "CVE-2024-58088",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58088"
},
{
"name": "CVE-2025-22107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22107"
},
{
"name": "CVE-2024-27018",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27018"
},
{
"name": "CVE-2025-22033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22033"
},
{
"name": "CVE-2025-39728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39728"
},
{
"name": "CVE-2025-22017",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22017"
},
{
"name": "CVE-2024-58094",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58094"
},
{
"name": "CVE-2025-22025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22025"
},
{
"name": "CVE-2025-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22036"
},
{
"name": "CVE-2025-21852",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21852"
},
{
"name": "CVE-2025-22027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22027"
},
{
"name": "CVE-2025-21853",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21853"
},
{
"name": "CVE-2025-21931",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21931"
},
{
"name": "CVE-2023-53034",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53034"
},
{
"name": "CVE-2025-23138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23138"
},
{
"name": "CVE-2025-23129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23129"
},
{
"name": "CVE-2024-57882",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57882"
},
{
"name": "CVE-2025-22106",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22106"
},
{
"name": "CVE-2025-22093",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22093"
},
{
"name": "CVE-2025-22050",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22050"
},
{
"name": "CVE-2025-21768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21768"
},
{
"name": "CVE-2025-23131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23131"
},
{
"name": "CVE-2025-21904",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21904"
},
{
"name": "CVE-2025-37798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37798"
},
{
"name": "CVE-2025-37860",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37860"
},
{
"name": "CVE-2025-22004",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22004"
},
{
"name": "CVE-2025-22121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22121"
},
{
"name": "CVE-2025-22116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22116"
},
{
"name": "CVE-2024-50162",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50162"
},
{
"name": "CVE-2025-22105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22105"
},
{
"name": "CVE-2025-21833",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21833"
},
{
"name": "CVE-2025-22055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22055"
},
{
"name": "CVE-2024-58070",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58070"
},
{
"name": "CVE-2025-22090",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22090"
},
{
"name": "CVE-2025-21792",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21792"
},
{
"name": "CVE-2024-58093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58093"
},
{
"name": "CVE-2025-22080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22080"
},
{
"name": "CVE-2025-21867",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21867"
},
{
"name": "CVE-2024-58095",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58095"
},
{
"name": "CVE-2025-21758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21758"
},
{
"name": "CVE-2025-23136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23136"
},
{
"name": "CVE-2025-37785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37785"
},
{
"name": "CVE-2024-35840",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35840"
},
{
"name": "CVE-2025-21999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21999"
},
{
"name": "CVE-2025-21808",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21808"
},
{
"name": "CVE-2024-50115",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50115"
},
{
"name": "CVE-2025-22044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22044"
},
{
"name": "CVE-2025-22062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22062"
},
{
"name": "CVE-2025-22058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22058"
},
{
"name": "CVE-2025-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22018"
},
{
"name": "CVE-2025-21925",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21925"
},
{
"name": "CVE-2025-21812",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21812"
},
{
"name": "CVE-2025-23145",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23145"
},
{
"name": "CVE-2025-21683",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21683"
},
{
"name": "CVE-2025-22045",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22045"
},
{
"name": "CVE-2025-37799",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37799"
},
{
"name": "CVE-2024-58068",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58068"
},
{
"name": "CVE-2024-57998",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57998"
},
{
"name": "CVE-2025-22029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22029"
},
{
"name": "CVE-2025-22104",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22104"
},
{
"name": "CVE-2025-22060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22060"
},
{
"name": "CVE-2024-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28956"
},
{
"name": "CVE-2025-21707",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21707"
},
{
"name": "CVE-2025-21985",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21985"
},
{
"name": "CVE-2025-22109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22109"
},
{
"name": "CVE-2025-22075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22075"
},
{
"name": "CVE-2025-22065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22065"
},
{
"name": "CVE-2025-22097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22097"
},
{
"name": "CVE-2024-57924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57924"
},
{
"name": "CVE-2025-22020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22020"
},
{
"name": "CVE-2024-50083",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50083"
},
{
"name": "CVE-2024-58096",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58096"
},
{
"name": "CVE-2024-56641",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56641"
},
{
"name": "CVE-2024-46763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46763"
},
{
"name": "CVE-2024-50163",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50163"
},
{
"name": "CVE-2025-21926",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21926"
},
{
"name": "CVE-2025-22102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22102"
},
{
"name": "CVE-2024-56702",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56702"
},
{
"name": "CVE-2025-22016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22016"
},
{
"name": "CVE-2025-21696",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21696"
},
{
"name": "CVE-2024-58097",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58097"
},
{
"name": "CVE-2024-58001",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58001"
},
{
"name": "CVE-2025-21963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21963"
},
{
"name": "CVE-2024-53156",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53156"
},
{
"name": "CVE-2025-22108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22108"
},
{
"name": "CVE-2025-23133",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23133"
},
{
"name": "CVE-2025-22128",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22128"
},
{
"name": "CVE-2024-46865",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46865"
},
{
"name": "CVE-2025-21854",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21854"
},
{
"name": "CVE-2025-22086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22086"
},
{
"name": "CVE-2024-27415",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27415"
},
{
"name": "CVE-2025-22064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22064"
},
{
"name": "CVE-2025-22015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22015"
},
{
"name": "CVE-2025-21962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21962"
},
{
"name": "CVE-2025-22053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22053"
},
{
"name": "CVE-2025-22088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22088"
},
{
"name": "CVE-2025-22115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22115"
},
{
"name": "CVE-2025-21964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21964"
}
],
"initial_release_date": "2025-06-06T00:00:00",
"last_revision_date": "2025-06-06T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0482",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-06-06T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-05-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:20355-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520355-1"
},
{
"published_at": "2025-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:20367-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520367-1"
},
{
"published_at": "2025-05-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:20354-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520354-1"
},
{
"published_at": "2025-05-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:20370-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520370-1"
},
{
"published_at": "2025-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:20366-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520366-1"
}
]
}
CVE-2025-22105 (GCVE-0-2025-22105)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-06-01 16:05
VLAI
EPSS
Title
bonding: check xdp prog when set bond mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: check xdp prog when set bond mode
Following operations can trigger a warning[1]:
ip netns add ns1
ip netns exec ns1 ip link add bond0 type bond mode balance-rr
ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp
ip netns exec ns1 ip link set bond0 type bond mode broadcast
ip netns del ns1
When delete the namespace, dev_xdp_uninstall() is called to remove xdp
program on bond dev, and bond_xdp_set() will check the bond mode. If bond
mode is changed after attaching xdp program, the warning may occur.
Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode
with xdp program attached is not good. Add check for xdp program when set
bond mode.
[1]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930
Modules linked in:
CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930
Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...
RSP: 0018:ffffc90000063d80 EFLAGS: 00000282
RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff
RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48
RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb
R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8
R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000
FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __warn+0x83/0x130
? unregister_netdevice_many_notify+0x8d9/0x930
? report_bug+0x18e/0x1a0
? handle_bug+0x54/0x90
? exc_invalid_op+0x18/0x70
? asm_exc_invalid_op+0x1a/0x20
? unregister_netdevice_many_notify+0x8d9/0x930
? bond_net_exit_batch_rtnl+0x5c/0x90
cleanup_net+0x237/0x3d0
process_one_work+0x163/0x390
worker_thread+0x293/0x3b0
? __pfx_worker_thread+0x10/0x10
kthread+0xec/0x1e0
? __pfx_kthread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x50
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
---[ end trace 0000000000000000 ]---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 074de2f6706ea840bbf06599cdc194086fbae092
(git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 5106da73b01668a1aa5d0f352b95d2b832b5caa7 (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 6f3af8055ee7ab69d1451f056fcd890df99c167e (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 094ee6017ea09c11d6af187935a949df32803ce0 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.119 , ≤ 6.6.* (semver) Unaffected: 6.12.57 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/bonding/bond_options.c",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "074de2f6706ea840bbf06599cdc194086fbae092",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "5106da73b01668a1aa5d0f352b95d2b832b5caa7",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "6f3af8055ee7ab69d1451f056fcd890df99c167e",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "094ee6017ea09c11d6af187935a949df32803ce0",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c",
"drivers/net/bonding/bond_options.c",
"include/net/bonding.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: check xdp prog when set bond mode\n\nFollowing operations can trigger a warning[1]:\n\n ip netns add ns1\n ip netns exec ns1 ip link add bond0 type bond mode balance-rr\n ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp\n ip netns exec ns1 ip link set bond0 type bond mode broadcast\n ip netns del ns1\n\nWhen delete the namespace, dev_xdp_uninstall() is called to remove xdp\nprogram on bond dev, and bond_xdp_set() will check the bond mode. If bond\nmode is changed after attaching xdp program, the warning may occur.\n\nSome bond modes (broadcast, etc.) do not support native xdp. Set bond mode\nwith xdp program attached is not good. Add check for xdp program when set\nbond mode.\n\n [1]\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930\n Modules linked in:\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n Workqueue: netns cleanup_net\n RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930\n Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...\n RSP: 0018:ffffc90000063d80 EFLAGS: 00000282\n RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff\n RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48\n RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb\n R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8\n R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000\n FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0\n Call Trace:\n \u003cTASK\u003e\n ? __warn+0x83/0x130\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? report_bug+0x18e/0x1a0\n ? handle_bug+0x54/0x90\n ? exc_invalid_op+0x18/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? unregister_netdevice_many_notify+0x8d9/0x930\n ? bond_net_exit_batch_rtnl+0x5c/0x90\n cleanup_net+0x237/0x3d0\n process_one_work+0x163/0x390\n worker_thread+0x293/0x3b0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xec/0x1e0\n ? __pfx_kthread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:05:10.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/074de2f6706ea840bbf06599cdc194086fbae092"
},
{
"url": "https://git.kernel.org/stable/c/5106da73b01668a1aa5d0f352b95d2b832b5caa7"
},
{
"url": "https://git.kernel.org/stable/c/6f3af8055ee7ab69d1451f056fcd890df99c167e"
},
{
"url": "https://git.kernel.org/stable/c/0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb"
},
{
"url": "https://git.kernel.org/stable/c/094ee6017ea09c11d6af187935a949df32803ce0"
}
],
"title": "bonding: check xdp prog when set bond mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22105",
"datePublished": "2025-04-16T14:12:53.830Z",
"dateReserved": "2024-12-29T08:45:45.819Z",
"dateUpdated": "2026-06-01T16:05:10.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22106 (GCVE-0-2025-22106)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
vmxnet3: unregister xdp rxq info in the reset path
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmxnet3: unregister xdp rxq info in the reset path
vmxnet3 does not unregister xdp rxq info in the
vmxnet3_reset_work() code path as vmxnet3_rq_destroy()
is not invoked in this code path. So, we get below message with a
backtrace.
Missing unregister, handled but fix driver
WARNING: CPU:48 PID: 500 at net/core/xdp.c:182
__xdp_rxq_info_reg+0x93/0xf0
This patch fixes the problem by moving the unregister
code of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < a6157484bee3385a425d288a69e1eaf03232f5fc
(git)
Affected: 54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < 23da4e0bb2a38966d29db0ff90a8fe68fdfa1744 (git) Affected: 54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < 9908541a9e235b7c5e2fbdd59910eaf9c32c3075 (git) Affected: 54f00cce11786742bd11e5e68c3bf85e6dc048c9 , < 0dd765fae295832934bf28e45dd5a355e0891ed4 (git) |
|
| Linux | Linux |
Affected:
6.6
Unaffected: 0 , < 6.6 (semver) Unaffected: 6.6.108 , ≤ 6.6.* (semver) Unaffected: 6.12.49 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/vmxnet3/vmxnet3_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6157484bee3385a425d288a69e1eaf03232f5fc",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
},
{
"lessThan": "23da4e0bb2a38966d29db0ff90a8fe68fdfa1744",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
},
{
"lessThan": "9908541a9e235b7c5e2fbdd59910eaf9c32c3075",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
},
{
"lessThan": "0dd765fae295832934bf28e45dd5a355e0891ed4",
"status": "affected",
"version": "54f00cce11786742bd11e5e68c3bf85e6dc048c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/vmxnet3/vmxnet3_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: unregister xdp rxq info in the reset path\n\nvmxnet3 does not unregister xdp rxq info in the\nvmxnet3_reset_work() code path as vmxnet3_rq_destroy()\nis not invoked in this code path. So, we get below message with a\nbacktrace.\n\nMissing unregister, handled but fix driver\nWARNING: CPU:48 PID: 500 at net/core/xdp.c:182\n__xdp_rxq_info_reg+0x93/0xf0\n\nThis patch fixes the problem by moving the unregister\ncode of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:05.088Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6157484bee3385a425d288a69e1eaf03232f5fc"
},
{
"url": "https://git.kernel.org/stable/c/23da4e0bb2a38966d29db0ff90a8fe68fdfa1744"
},
{
"url": "https://git.kernel.org/stable/c/9908541a9e235b7c5e2fbdd59910eaf9c32c3075"
},
{
"url": "https://git.kernel.org/stable/c/0dd765fae295832934bf28e45dd5a355e0891ed4"
}
],
"title": "vmxnet3: unregister xdp rxq info in the reset path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22106",
"datePublished": "2025-04-16T14:12:54.461Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-05-11T21:13:05.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22107 (GCVE-0-2025-22107)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-06-01 16:05
VLAI
EPSS
Title
net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
There are actually 2 problems:
- deleting the last element doesn't require the memmove of elements
[i + 1, end) over it. Actually, element i+1 is out of bounds.
- The memmove itself should move size - i - 1 elements, because the last
element is out of bounds.
The out-of-bounds element still remains out of bounds after being
accessed, so the problem is only that we touch it, not that it becomes
in active use. But I suppose it can lead to issues if the out-of-bounds
element is part of an unmapped page.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < f85b9bfb08ba2b642d1810c6c4ae1e7b46f1776a
(git)
Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < f117d0467215d7f1d445ae16d2c799637e63dc6c (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < b52153da1f42e2f4d6259257a7ba027331671a93 (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 4584486cfcca24b7b586da3377eb3cffd48669ec (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 031e00249e9e6bee72ba66701c8f83b45fc4b8a2 (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 59b97641de03c081f26b3a8876628c765b5faa25 (git) Affected: 6666cebc5e306f49a25bd20aa8c1cb8ef8950df5 , < 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 (git) |
|
| Linux | Linux |
Affected:
5.2
Unaffected: 0 , < 5.2 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/sja1105/sja1105_static_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f85b9bfb08ba2b642d1810c6c4ae1e7b46f1776a",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "f117d0467215d7f1d445ae16d2c799637e63dc6c",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "b52153da1f42e2f4d6259257a7ba027331671a93",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "4584486cfcca24b7b586da3377eb3cffd48669ec",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "031e00249e9e6bee72ba66701c8f83b45fc4b8a2",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "59b97641de03c081f26b3a8876628c765b5faa25",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
},
{
"lessThan": "5f2b28b79d2d1946ee36ad8b3dc0066f73c90481",
"status": "affected",
"version": "6666cebc5e306f49a25bd20aa8c1cb8ef8950df5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/sja1105/sja1105_static_config.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()\n\nThere are actually 2 problems:\n- deleting the last element doesn\u0027t require the memmove of elements\n [i + 1, end) over it. Actually, element i+1 is out of bounds.\n- The memmove itself should move size - i - 1 elements, because the last\n element is out of bounds.\n\nThe out-of-bounds element still remains out of bounds after being\naccessed, so the problem is only that we touch it, not that it becomes\nin active use. But I suppose it can lead to issues if the out-of-bounds\nelement is part of an unmapped page."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:05:12.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f85b9bfb08ba2b642d1810c6c4ae1e7b46f1776a"
},
{
"url": "https://git.kernel.org/stable/c/f117d0467215d7f1d445ae16d2c799637e63dc6c"
},
{
"url": "https://git.kernel.org/stable/c/b52153da1f42e2f4d6259257a7ba027331671a93"
},
{
"url": "https://git.kernel.org/stable/c/4584486cfcca24b7b586da3377eb3cffd48669ec"
},
{
"url": "https://git.kernel.org/stable/c/031e00249e9e6bee72ba66701c8f83b45fc4b8a2"
},
{
"url": "https://git.kernel.org/stable/c/59b97641de03c081f26b3a8876628c765b5faa25"
},
{
"url": "https://git.kernel.org/stable/c/5f2b28b79d2d1946ee36ad8b3dc0066f73c90481"
}
],
"title": "net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22107",
"datePublished": "2025-04-16T14:12:55.109Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-06-01T16:05:12.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22108 (GCVE-0-2025-22108)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
bnxt_en: Mask the bd_cnt field in the TX BD properly
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Mask the bd_cnt field in the TX BD properly
The bd_cnt field in the TX BD specifies the total number of BDs for
the TX packet. The bd_cnt field has 5 bits and the maximum number
supported is 32 with the value 0.
CONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB
fragments can approach or exceed the maximum supported by the chip.
Add a macro to properly mask the bd_cnt field so that the value 32
will be properly masked and set to 0 in the bd_cnd field.
Without this patch, the out-of-range bd_cnt value will corrupt the
TX BD and may cause TX timeout.
The next patch will check for values exceeding 32.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3948b05950fdd64002a5f182c65ba5cf2d53cf71 , < f60b41b815826f15c4d0323f923f398c423178d0
(git)
Affected: 3948b05950fdd64002a5f182c65ba5cf2d53cf71 , < 107b25db61122d8f990987895c2912927b8b6e3f (git) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt.h",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f60b41b815826f15c4d0323f923f398c423178d0",
"status": "affected",
"version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
"versionType": "git"
},
{
"lessThan": "107b25db61122d8f990987895c2912927b8b6e3f",
"status": "affected",
"version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt.h",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Mask the bd_cnt field in the TX BD properly\n\nThe bd_cnt field in the TX BD specifies the total number of BDs for\nthe TX packet. The bd_cnt field has 5 bits and the maximum number\nsupported is 32 with the value 0.\n\nCONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB\nfragments can approach or exceed the maximum supported by the chip.\nAdd a macro to properly mask the bd_cnt field so that the value 32\nwill be properly masked and set to 0 in the bd_cnd field.\n\nWithout this patch, the out-of-range bd_cnt value will corrupt the\nTX BD and may cause TX timeout.\n\nThe next patch will check for values exceeding 32."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:07.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f60b41b815826f15c4d0323f923f398c423178d0"
},
{
"url": "https://git.kernel.org/stable/c/107b25db61122d8f990987895c2912927b8b6e3f"
}
],
"title": "bnxt_en: Mask the bd_cnt field in the TX BD properly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22108",
"datePublished": "2025-04-16T14:12:55.737Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-05-11T21:13:07.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22109 (GCVE-0-2025-22109)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
ax25: Remove broken autobind
Summary
In the Linux kernel, the following vulnerability has been resolved:
ax25: Remove broken autobind
Binding AX25 socket by using the autobind feature leads to memory leaks
in ax25_connect() and also refcount leaks in ax25_release(). Memory
leak was detected with kmemleak:
================================================================
unreferenced object 0xffff8880253cd680 (size 96):
backtrace:
__kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)
kmemdup_noprof (mm/util.c:136)
ax25_rt_autobind (net/ax25/ax25_route.c:428)
ax25_connect (net/ax25/af_ax25.c:1282)
__sys_connect_file (net/socket.c:2045)
__sys_connect (net/socket.c:2064)
__x64_sys_connect (net/socket.c:2067)
do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
================================================================
When socket is bound, refcounts must be incremented the way it is done
in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of
autobind, the refcounts are not incremented.
This bug leads to the following issue reported by Syzkaller:
================================================================
ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de
------------[ cut here ]------------
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31
Modules linked in:
CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31
...
Call Trace:
<TASK>
__refcount_dec include/linux/refcount.h:336 [inline]
refcount_dec include/linux/refcount.h:351 [inline]
ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236
netdev_tracker_free include/linux/netdevice.h:4302 [inline]
netdev_put include/linux/netdevice.h:4319 [inline]
ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080
__sock_release net/socket.c:647 [inline]
sock_close+0xbc/0x240 net/socket.c:1398
__fput+0x3e9/0x9f0 fs/file_table.c:464
__do_sys_close fs/open.c:1580 [inline]
__se_sys_close fs/open.c:1565 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1565
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
</TASK>
================================================================
Considering the issues above and the comments left in the code that say:
"check if we can remove this feature. It is broken."; "autobinding in this
may or may not work"; - it is better to completely remove this feature than
to fix it because it is broken and leads to various kinds of memory bugs.
Now calling connect() without first binding socket will result in an
error (-EINVAL). Userspace software that relies on the autobind feature
might get broken. However, this feature does not seem widely used with
this specific driver as it was not reliable at any point of time, and it
is already broken anyway. E.g. ax25-tools and ax25-apps packages for
popular distributions do not use the autobind feature for AF_AX25.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 61203fdd3e35519db9a98b6ff8983c620ffc4696
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2f6efbabceb6b2914ee9bafb86d9a51feae9cce8 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ax25.h",
"net/ax25/af_ax25.c",
"net/ax25/ax25_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61203fdd3e35519db9a98b6ff8983c620ffc4696",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2f6efbabceb6b2914ee9bafb86d9a51feae9cce8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ax25.h",
"net/ax25/af_ax25.c",
"net/ax25/ax25_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Remove broken autobind\n\nBinding AX25 socket by using the autobind feature leads to memory leaks\nin ax25_connect() and also refcount leaks in ax25_release(). Memory\nleak was detected with kmemleak:\n\n================================================================\nunreferenced object 0xffff8880253cd680 (size 96):\nbacktrace:\n__kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)\nkmemdup_noprof (mm/util.c:136)\nax25_rt_autobind (net/ax25/ax25_route.c:428)\nax25_connect (net/ax25/af_ax25.c:1282)\n__sys_connect_file (net/socket.c:2045)\n__sys_connect (net/socket.c:2064)\n__x64_sys_connect (net/socket.c:2067)\ndo_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n================================================================\n\nWhen socket is bound, refcounts must be incremented the way it is done\nin ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of\nautobind, the refcounts are not incremented.\n\nThis bug leads to the following issue reported by Syzkaller:\n\n================================================================\nax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de\n------------[ cut here ]------------\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31\nModules linked in:\nCPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31\n...\nCall Trace:\n \u003cTASK\u003e\n __refcount_dec include/linux/refcount.h:336 [inline]\n refcount_dec include/linux/refcount.h:351 [inline]\n ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236\n netdev_tracker_free include/linux/netdevice.h:4302 [inline]\n netdev_put include/linux/netdevice.h:4319 [inline]\n ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080\n __sock_release net/socket.c:647 [inline]\n sock_close+0xbc/0x240 net/socket.c:1398\n __fput+0x3e9/0x9f0 fs/file_table.c:464\n __do_sys_close fs/open.c:1580 [inline]\n __se_sys_close fs/open.c:1565 [inline]\n __x64_sys_close+0x7f/0x110 fs/open.c:1565\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n ...\n \u003c/TASK\u003e\n================================================================\n\nConsidering the issues above and the comments left in the code that say:\n\"check if we can remove this feature. It is broken.\"; \"autobinding in this\nmay or may not work\"; - it is better to completely remove this feature than\nto fix it because it is broken and leads to various kinds of memory bugs.\n\nNow calling connect() without first binding socket will result in an\nerror (-EINVAL). Userspace software that relies on the autobind feature\nmight get broken. However, this feature does not seem widely used with\nthis specific driver as it was not reliable at any point of time, and it\nis already broken anyway. E.g. ax25-tools and ax25-apps packages for\npopular distributions do not use the autobind feature for AF_AX25.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:08.594Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61203fdd3e35519db9a98b6ff8983c620ffc4696"
},
{
"url": "https://git.kernel.org/stable/c/2f6efbabceb6b2914ee9bafb86d9a51feae9cce8"
}
],
"title": "ax25: Remove broken autobind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22109",
"datePublished": "2025-04-16T14:12:56.405Z",
"dateReserved": "2024-12-29T08:45:45.820Z",
"dateUpdated": "2026-05-11T21:13:08.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22115 (GCVE-0-2025-22115)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-23 15:57
VLAI
EPSS
Title
btrfs: fix block group refcount race in btrfs_create_pending_block_groups()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix block group refcount race in btrfs_create_pending_block_groups()
Block group creation is done in two phases, which results in a slightly
unintuitive property: a block group can be allocated/deallocated from
after btrfs_make_block_group() adds it to the space_info with
btrfs_add_bg_to_space_info(), but before creation is completely completed
in btrfs_create_pending_block_groups(). As a result, it is possible for a
block group to go unused and have 'btrfs_mark_bg_unused' called on it
concurrently with 'btrfs_create_pending_block_groups'. This causes a
number of issues, which were fixed with the block group flag
'BLOCK_GROUP_FLAG_NEW'.
However, this fix is not quite complete. Since it does not use the
unused_bg_lock, it is possible for the following race to occur:
btrfs_create_pending_block_groups btrfs_mark_bg_unused
if list_empty // false
list_del_init
clear_bit
else if (test_bit) // true
list_move_tail
And we get into the exact same broken ref count and invalid new_bgs
state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to
prevent.
The broken refcount aspect will result in a warning like:
[1272.943527] refcount_t: underflow; use-after-free.
[1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
[1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]
[1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108
[1272.946368] Tainted: [W]=WARN
[1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
[1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]
[1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110
[1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282
[1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000
[1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff
[1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268
[1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0
[1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0
[1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000
[1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0
[1272.954474] Call Trace:
[1272.954655] <TASK>
[1272.954812] ? refcount_warn_saturate+0xba/0x110
[1272.955173] ? __warn.cold+0x93/0xd7
[1272.955487] ? refcount_warn_saturate+0xba/0x110
[1272.955816] ? report_bug+0xe7/0x120
[1272.956103] ? handle_bug+0x53/0x90
[1272.956424] ? exc_invalid_op+0x13/0x60
[1272.956700] ? asm_exc_invalid_op+0x16/0x20
[1272.957011] ? refcount_warn_saturate+0xba/0x110
[1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]
[1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs]
[1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs]
[1272.958729] process_one_work+0x130/0x290
[1272.959026] worker_thread+0x2ea/0x420
[1272.959335] ? __pfx_worker_thread+0x10/0x10
[1272.959644] kthread+0xd7/0x1c0
[1272.959872] ? __pfx_kthread+0x10/0x10
[1272.960172] ret_from_fork+0x30/0x50
[1272.960474] ? __pfx_kthread+0x10/0x10
[1272.960745] ret_from_fork_asm+0x1a/0x30
[1272.961035] </TASK>
[1272.961238] ---[ end trace 0000000000000000 ]---
Though we have seen them in the async discard workfn as well. It is
most likely to happen after a relocation finishes which cancels discard,
tears down the block group, etc.
Fix this fully by taking the lock arou
---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0657b20c5a76c938612f8409735a8830d257866e , < ee56da95f8962b86fec4ef93f866e64c8d025a58
(git)
Affected: 0657b20c5a76c938612f8409735a8830d257866e , < 9d383a6fc59271aaaf07a33b23b2eac5b9268b7a (git) Affected: 0657b20c5a76c938612f8409735a8830d257866e , < 2d8e5168d48a91e7a802d3003e72afb4304bebfa (git) Affected: 6297644db23f77c02ae7961cc542d162629ae2c4 (git) Affected: 7569c4294ba6ff9f194635b14876198f8a687c4a (git) Affected: 6.1.47 , < 6.2 (semver) Affected: 6.4.12 , < 6.5 (semver) |
|
| Linux | Linux |
Affected:
6.5
Unaffected: 0 , < 6.5 (semver) Unaffected: 6.12.40 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee56da95f8962b86fec4ef93f866e64c8d025a58",
"status": "affected",
"version": "0657b20c5a76c938612f8409735a8830d257866e",
"versionType": "git"
},
{
"lessThan": "9d383a6fc59271aaaf07a33b23b2eac5b9268b7a",
"status": "affected",
"version": "0657b20c5a76c938612f8409735a8830d257866e",
"versionType": "git"
},
{
"lessThan": "2d8e5168d48a91e7a802d3003e72afb4304bebfa",
"status": "affected",
"version": "0657b20c5a76c938612f8409735a8830d257866e",
"versionType": "git"
},
{
"status": "affected",
"version": "6297644db23f77c02ae7961cc542d162629ae2c4",
"versionType": "git"
},
{
"status": "affected",
"version": "7569c4294ba6ff9f194635b14876198f8a687c4a",
"versionType": "git"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThan": "6.5",
"status": "affected",
"version": "6.4.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block group refcount race in btrfs_create_pending_block_groups()\n\nBlock group creation is done in two phases, which results in a slightly\nunintuitive property: a block group can be allocated/deallocated from\nafter btrfs_make_block_group() adds it to the space_info with\nbtrfs_add_bg_to_space_info(), but before creation is completely completed\nin btrfs_create_pending_block_groups(). As a result, it is possible for a\nblock group to go unused and have \u0027btrfs_mark_bg_unused\u0027 called on it\nconcurrently with \u0027btrfs_create_pending_block_groups\u0027. This causes a\nnumber of issues, which were fixed with the block group flag\n\u0027BLOCK_GROUP_FLAG_NEW\u0027.\n\nHowever, this fix is not quite complete. Since it does not use the\nunused_bg_lock, it is possible for the following race to occur:\n\nbtrfs_create_pending_block_groups btrfs_mark_bg_unused\n if list_empty // false\n list_del_init\n clear_bit\n else if (test_bit) // true\n list_move_tail\n\nAnd we get into the exact same broken ref count and invalid new_bgs\nstate for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to\nprevent.\n\nThe broken refcount aspect will result in a warning like:\n\n [1272.943527] refcount_t: underflow; use-after-free.\n [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110\n [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]\n [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108\n [1272.946368] Tainted: [W]=WARN\n [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]\n [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110\n [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282\n [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000\n [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff\n [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268\n [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0\n [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0\n [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000\n [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0\n [1272.954474] Call Trace:\n [1272.954655] \u003cTASK\u003e\n [1272.954812] ? refcount_warn_saturate+0xba/0x110\n [1272.955173] ? __warn.cold+0x93/0xd7\n [1272.955487] ? refcount_warn_saturate+0xba/0x110\n [1272.955816] ? report_bug+0xe7/0x120\n [1272.956103] ? handle_bug+0x53/0x90\n [1272.956424] ? exc_invalid_op+0x13/0x60\n [1272.956700] ? asm_exc_invalid_op+0x16/0x20\n [1272.957011] ? refcount_warn_saturate+0xba/0x110\n [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]\n [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs]\n [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs]\n [1272.958729] process_one_work+0x130/0x290\n [1272.959026] worker_thread+0x2ea/0x420\n [1272.959335] ? __pfx_worker_thread+0x10/0x10\n [1272.959644] kthread+0xd7/0x1c0\n [1272.959872] ? __pfx_kthread+0x10/0x10\n [1272.960172] ret_from_fork+0x30/0x50\n [1272.960474] ? __pfx_kthread+0x10/0x10\n [1272.960745] ret_from_fork_asm+0x1a/0x30\n [1272.961035] \u003c/TASK\u003e\n [1272.961238] ---[ end trace 0000000000000000 ]---\n\nThough we have seen them in the async discard workfn as well. It is\nmost likely to happen after a relocation finishes which cancels discard,\ntears down the block group, etc.\n\nFix this fully by taking the lock arou\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:53.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee56da95f8962b86fec4ef93f866e64c8d025a58"
},
{
"url": "https://git.kernel.org/stable/c/9d383a6fc59271aaaf07a33b23b2eac5b9268b7a"
},
{
"url": "https://git.kernel.org/stable/c/2d8e5168d48a91e7a802d3003e72afb4304bebfa"
}
],
"title": "btrfs: fix block group refcount race in btrfs_create_pending_block_groups()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22115",
"datePublished": "2025-04-16T14:13:01.293Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2026-05-23T15:57:53.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22116 (GCVE-0-2025-22116)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
idpf: check error for register_netdev() on init
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: check error for register_netdev() on init
Current init logic ignores the error code from register_netdev(),
which will cause WARN_ON() on attempt to unregister it, if there was one,
and there is no info for the user that the creation of the netdev failed.
WARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10
...
[ 3707.563641] unregister_netdev+0x1c/0x30
[ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf]
[ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf]
[ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf]
[ 3707.563739] idpf_remove+0xbf/0x780 [idpf]
[ 3707.563769] pci_device_remove+0xab/0x1e0
[ 3707.563786] device_release_driver_internal+0x371/0x530
[ 3707.563803] driver_detach+0xbf/0x180
[ 3707.563816] bus_remove_driver+0x11b/0x2a0
[ 3707.563829] pci_unregister_driver+0x2a/0x250
Introduce an error check and log the vport number and error code.
On removal make sure to check VPORT_REG_NETDEV flag prior to calling
unregister and free on the netdev.
Add local variables for idx, vport_config and netdev for readability.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < 1ca996324eacab8fdb7c8ac231eebe5ef0c3c454
(git)
Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < 89768e33752211b2240ec4c34138170c95f11f97 (git) Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < 680811c67906191b237bbafe7dabbbad64649b39 (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1ca996324eacab8fdb7c8ac231eebe5ef0c3c454",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "89768e33752211b2240ec4c34138170c95f11f97",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
},
{
"lessThan": "680811c67906191b237bbafe7dabbbad64649b39",
"status": "affected",
"version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: check error for register_netdev() on init\n\nCurrent init logic ignores the error code from register_netdev(),\nwhich will cause WARN_ON() on attempt to unregister it, if there was one,\nand there is no info for the user that the creation of the netdev failed.\n\nWARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10\n...\n[ 3707.563641] unregister_netdev+0x1c/0x30\n[ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf]\n[ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf]\n[ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf]\n[ 3707.563739] idpf_remove+0xbf/0x780 [idpf]\n[ 3707.563769] pci_device_remove+0xab/0x1e0\n[ 3707.563786] device_release_driver_internal+0x371/0x530\n[ 3707.563803] driver_detach+0xbf/0x180\n[ 3707.563816] bus_remove_driver+0x11b/0x2a0\n[ 3707.563829] pci_unregister_driver+0x2a/0x250\n\nIntroduce an error check and log the vport number and error code.\nOn removal make sure to check VPORT_REG_NETDEV flag prior to calling\nunregister and free on the netdev.\n\nAdd local variables for idx, vport_config and netdev for readability."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:16.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ca996324eacab8fdb7c8ac231eebe5ef0c3c454"
},
{
"url": "https://git.kernel.org/stable/c/89768e33752211b2240ec4c34138170c95f11f97"
},
{
"url": "https://git.kernel.org/stable/c/680811c67906191b237bbafe7dabbbad64649b39"
}
],
"title": "idpf: check error for register_netdev() on init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22116",
"datePublished": "2025-04-16T14:13:02.008Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2026-05-11T21:13:16.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22121 (GCVE-0-2025-22121)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e50e5129f384ae282adebfb561189cdb19b81cee , < 27202452b0bc942fdc3db72a44c4dcdab96d5b56
(git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < b374e9ecc92aaa7fb2ab221ee3ff5451118ab566 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < c000a8a9b5343a5ef867df173c6349672dacbd0f (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 3c591353956ffcace2cc74d09930774afed60619 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 098927a13fd918bd7c64c2de905350a1ad7b4a3a (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 5701875f9609b000d91351eaa6bfd97fe2f157f4 (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.161 , ≤ 6.1.* (semver) Unaffected: 6.6.120 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c",
"fs/ext4/xattr.c",
"fs/ext4/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27202452b0bc942fdc3db72a44c4dcdab96d5b56",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "b374e9ecc92aaa7fb2ab221ee3ff5451118ab566",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "c000a8a9b5343a5ef867df173c6349672dacbd0f",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "3c591353956ffcace2cc74d09930774afed60619",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "098927a13fd918bd7c64c2de905350a1ad7b4a3a",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "5701875f9609b000d91351eaa6bfd97fe2f157f4",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c",
"fs/ext4/xattr.c",
"fs/ext4/xattr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere\u0027s issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn\u0027t check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:22.557Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56"
},
{
"url": "https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566"
},
{
"url": "https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f"
},
{
"url": "https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619"
},
{
"url": "https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a"
},
{
"url": "https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8"
},
{
"url": "https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4"
}
],
"title": "ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22121",
"datePublished": "2025-04-16T14:13:05.894Z",
"dateReserved": "2024-12-29T08:45:45.823Z",
"dateUpdated": "2026-05-11T21:13:22.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22128 (GCVE-0-2025-22128)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path
If a shared IRQ is used by the driver due to platform limitation, then the
IRQ affinity hint is set right after the allocation of IRQ vectors in
ath12k_pci_msi_alloc(). This does no harm unless one of the functions
requesting the IRQ fails and attempt to free the IRQ.
This may end up with a warning from the IRQ core that is expecting the
affinity hint to be cleared before freeing the IRQ:
kernel/irq/manage.c:
/* make sure affinity_hint is cleaned up */
if (WARN_ON_ONCE(desc->affinity_hint))
desc->affinity_hint = NULL;
So to fix this issue, clear the IRQ affinity hint before calling
ath12k_pci_free_irq() in the error path. The affinity will be cleared once
again further down the error path due to code organization, but that does
no harm.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a3012f206d07fa62b5c2e384cbc3a81a4dbba3c9 , < a69a594794fcad96d4cfce12aab6c5014a12b4c8
(git)
Affected: a3012f206d07fa62b5c2e384cbc3a81a4dbba3c9 , < 35b33ba76765ce9e72949d957f3cf1feafd2955c (git) Affected: a3012f206d07fa62b5c2e384cbc3a81a4dbba3c9 , < b43b1e2c52db77c872bd60d30cdcc72c47df70c7 (git) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a69a594794fcad96d4cfce12aab6c5014a12b4c8",
"status": "affected",
"version": "a3012f206d07fa62b5c2e384cbc3a81a4dbba3c9",
"versionType": "git"
},
{
"lessThan": "35b33ba76765ce9e72949d957f3cf1feafd2955c",
"status": "affected",
"version": "a3012f206d07fa62b5c2e384cbc3a81a4dbba3c9",
"versionType": "git"
},
{
"lessThan": "b43b1e2c52db77c872bd60d30cdcc72c47df70c7",
"status": "affected",
"version": "a3012f206d07fa62b5c2e384cbc3a81a4dbba3c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path\n\nIf a shared IRQ is used by the driver due to platform limitation, then the\nIRQ affinity hint is set right after the allocation of IRQ vectors in\nath12k_pci_msi_alloc(). This does no harm unless one of the functions\nrequesting the IRQ fails and attempt to free the IRQ.\n\nThis may end up with a warning from the IRQ core that is expecting the\naffinity hint to be cleared before freeing the IRQ:\n\nkernel/irq/manage.c:\n\n\t/* make sure affinity_hint is cleaned up */\n\tif (WARN_ON_ONCE(desc-\u003eaffinity_hint))\n\t\tdesc-\u003eaffinity_hint = NULL;\n\nSo to fix this issue, clear the IRQ affinity hint before calling\nath12k_pci_free_irq() in the error path. The affinity will be cleared once\nagain further down the error path due to code organization, but that does\nno harm."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:30.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a69a594794fcad96d4cfce12aab6c5014a12b4c8"
},
{
"url": "https://git.kernel.org/stable/c/35b33ba76765ce9e72949d957f3cf1feafd2955c"
},
{
"url": "https://git.kernel.org/stable/c/b43b1e2c52db77c872bd60d30cdcc72c47df70c7"
}
],
"title": "wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22128",
"datePublished": "2025-04-16T14:13:10.692Z",
"dateReserved": "2024-12-29T08:45:45.824Z",
"dateUpdated": "2026-05-11T21:13:30.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23129 (GCVE-0-2025-23129)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-23 15:57
VLAI
EPSS
Title
wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
If a shared IRQ is used by the driver due to platform limitation, then the
IRQ affinity hint is set right after the allocation of IRQ vectors in
ath11k_pci_alloc_msi(). This does no harm unless one of the functions
requesting the IRQ fails and attempt to free the IRQ. This results in the
below warning:
WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c
Call trace:
free_irq+0x278/0x29c
ath11k_pcic_free_irq+0x70/0x10c [ath11k]
ath11k_pci_probe+0x800/0x820 [ath11k_pci]
local_pci_probe+0x40/0xbc
The warning is due to not clearing the affinity hint before freeing the
IRQs.
So to fix this issue, clear the IRQ affinity hint before calling
ath11k_pcic_free_irq() in the error path. The affinity will be cleared once
again further down the error path due to code organization, but that does
no harm.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
39564b475ac5a589e6c22c43a08cbd283c295d2c , < 80dc5a2ce5b75d648e08549617f5c555d07ae43c
(git)
Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 3fc42cfcc6e336f25dee79b34e57c4a63cd652a5 (git) Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 68410c5bd381a81bcc92b808e7dc4e6b9ed25d11 (git) Affected: e01b3400d641cb290742849331f0d22e1202538a (git) Affected: 5a9f55efa9333e3edb4826d945cfdd8356f6e269 (git) Affected: d412d0ef300f28d698648cc7c19147ab413251fe (git) Affected: 6.1.63 , < 6.2 (semver) Affected: 6.5.12 , < 6.6 (semver) Affected: 6.6.2 , < 6.7 (semver) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80dc5a2ce5b75d648e08549617f5c555d07ae43c",
"status": "affected",
"version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
"versionType": "git"
},
{
"lessThan": "3fc42cfcc6e336f25dee79b34e57c4a63cd652a5",
"status": "affected",
"version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
"versionType": "git"
},
{
"lessThan": "68410c5bd381a81bcc92b808e7dc4e6b9ed25d11",
"status": "affected",
"version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
"versionType": "git"
},
{
"status": "affected",
"version": "e01b3400d641cb290742849331f0d22e1202538a",
"versionType": "git"
},
{
"status": "affected",
"version": "5a9f55efa9333e3edb4826d945cfdd8356f6e269",
"versionType": "git"
},
{
"status": "affected",
"version": "d412d0ef300f28d698648cc7c19147ab413251fe",
"versionType": "git"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.63",
"versionType": "semver"
},
{
"lessThan": "6.6",
"status": "affected",
"version": "6.5.12",
"versionType": "semver"
},
{
"lessThan": "6.7",
"status": "affected",
"version": "6.6.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path\n\nIf a shared IRQ is used by the driver due to platform limitation, then the\nIRQ affinity hint is set right after the allocation of IRQ vectors in\nath11k_pci_alloc_msi(). This does no harm unless one of the functions\nrequesting the IRQ fails and attempt to free the IRQ. This results in the\nbelow warning:\n\nWARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c\nCall trace:\n free_irq+0x278/0x29c\n ath11k_pcic_free_irq+0x70/0x10c [ath11k]\n ath11k_pci_probe+0x800/0x820 [ath11k_pci]\n local_pci_probe+0x40/0xbc\n\nThe warning is due to not clearing the affinity hint before freeing the\nIRQs.\n\nSo to fix this issue, clear the IRQ affinity hint before calling\nath11k_pcic_free_irq() in the error path. The affinity will be cleared once\nagain further down the error path due to code organization, but that does\nno harm.\n\nTested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:58.040Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80dc5a2ce5b75d648e08549617f5c555d07ae43c"
},
{
"url": "https://git.kernel.org/stable/c/3fc42cfcc6e336f25dee79b34e57c4a63cd652a5"
},
{
"url": "https://git.kernel.org/stable/c/68410c5bd381a81bcc92b808e7dc4e6b9ed25d11"
}
],
"title": "wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23129",
"datePublished": "2025-04-16T14:13:11.663Z",
"dateReserved": "2025-01-11T14:28:41.510Z",
"dateUpdated": "2026-05-23T15:57:58.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…