Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0697
Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian LTS bullseye versions ant\u00e9rieures \u00e0 6.1.140-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-36903",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36903"
},
{
"name": "CVE-2024-53203",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53203"
},
{
"name": "CVE-2025-37936",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37936"
},
{
"name": "CVE-2025-21931",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21931"
},
{
"name": "CVE-2024-46751",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46751"
},
{
"name": "CVE-2024-26807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26807"
},
{
"name": "CVE-2024-26783",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26783"
},
{
"name": "CVE-2025-37917",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37917"
},
{
"name": "CVE-2025-37961",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37961"
},
{
"name": "CVE-2025-37953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37953"
},
{
"name": "CVE-2025-37819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37819"
},
{
"name": "CVE-2025-21839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21839"
},
{
"name": "CVE-2025-38023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38023"
},
{
"name": "CVE-2025-37924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37924"
},
{
"name": "CVE-2025-37927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37927"
},
{
"name": "CVE-2025-37897",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37897"
},
{
"name": "CVE-2025-37911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37911"
},
{
"name": "CVE-2025-37930",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37930"
},
{
"name": "CVE-2025-38027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38027"
},
{
"name": "CVE-2025-38015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38015"
},
{
"name": "CVE-2025-37912",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37912"
},
{
"name": "CVE-2024-57945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57945"
},
{
"name": "CVE-2025-38095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38095"
},
{
"name": "CVE-2025-38024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38024"
},
{
"name": "CVE-2025-38005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38005"
},
{
"name": "CVE-2025-21645",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21645"
},
{
"name": "CVE-2025-37969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37969"
},
{
"name": "CVE-2025-37921",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37921"
},
{
"name": "CVE-2025-38007",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38007"
},
{
"name": "CVE-2025-37923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37923"
},
{
"name": "CVE-2025-22062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22062"
},
{
"name": "CVE-2025-37964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37964"
},
{
"name": "CVE-2025-37915",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37915"
},
{
"name": "CVE-2025-37903",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37903"
},
{
"name": "CVE-2024-35790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
},
{
"name": "CVE-2025-38018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38018"
},
{
"name": "CVE-2025-37991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37991"
},
{
"name": "CVE-2024-36927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36927"
},
{
"name": "CVE-2024-43840",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43840"
},
{
"name": "CVE-2025-37962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37962"
},
{
"name": "CVE-2025-37901",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37901"
},
{
"name": "CVE-2024-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28956"
},
{
"name": "CVE-2025-37972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37972"
},
{
"name": "CVE-2025-37970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37970"
},
{
"name": "CVE-2025-37905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37905"
},
{
"name": "CVE-2025-38094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38094"
},
{
"name": "CVE-2025-37967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37967"
},
{
"name": "CVE-2025-37949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37949"
},
{
"name": "CVE-2024-26618",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26618"
},
{
"name": "CVE-2025-37951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37951"
},
{
"name": "CVE-2025-37947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37947"
},
{
"name": "CVE-2025-37992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37992"
},
{
"name": "CVE-2025-37932",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37932"
},
{
"name": "CVE-2025-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37890"
},
{
"name": "CVE-2025-37914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37914"
},
{
"name": "CVE-2025-37928",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37928"
},
{
"name": "CVE-2025-37998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37998"
},
{
"name": "CVE-2025-38177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38177"
},
{
"name": "CVE-2025-38009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38009"
},
{
"name": "CVE-2025-37994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37994"
},
{
"name": "CVE-2025-37995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37995"
},
{
"name": "CVE-2025-37997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37997"
},
{
"name": "CVE-2025-37963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37963"
},
{
"name": "CVE-2025-37990",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37990"
},
{
"name": "CVE-2025-37948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37948"
},
{
"name": "CVE-2025-37929",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37929"
},
{
"name": "CVE-2025-37913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37913"
},
{
"name": "CVE-2025-37959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37959"
},
{
"name": "CVE-2025-37909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37909"
},
{
"name": "CVE-2024-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53209"
},
{
"name": "CVE-2025-38020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38020"
}
],
"initial_release_date": "2025-08-14T00:00:00",
"last_revision_date": "2025-08-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0697",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2025-08-13",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS DLA-4271-1",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
]
}
CVE-2024-53209 (GCVE-0-2024-53209)
Vulnerability from cvelistv5 – Published: 2024-12-27 13:49 – Updated: 2026-05-23 15:55
VLAI
EPSS
Title
bnxt_en: Fix receive ring space parameters when XDP is active
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix receive ring space parameters when XDP is active
The MTU setting at the time an XDP multi-buffer is attached
determines whether the aggregation ring will be used and the
rx_skb_func handler. This is done in bnxt_set_rx_skb_mode().
If the MTU is later changed, the aggregation ring setting may need
to be changed and it may become out-of-sync with the settings
initially done in bnxt_set_rx_skb_mode(). This may result in
random memory corruption and crashes as the HW may DMA data larger
than the allocated buffer size, such as:
BUG: kernel NULL pointer dereference, address: 00000000000003c0
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1
Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021
RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]
Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f
RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202
RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff
RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380
RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf
R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980
R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990
FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
__bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]
To address the issue, we now call bnxt_set_rx_skb_mode() within
bnxt_change_mtu() to properly set the AGG rings configuration and
update rx_skb_func based on the new MTU value.
Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of
bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on
the current MTU.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
421e02bda0570eeb11636544fe97ec3097d1bb92 , < b7fd784d7c6a1bd927a23e0d06f09a776ee3889b
(git)
Affected: 08450ea98ae98d5a35145b675b76db616046ea11 , < 7f306c651feab2f3689185f60b94e72b573255db (git) Affected: 08450ea98ae98d5a35145b675b76db616046ea11 , < bf54a7660fc8d2166f41ff1d67a643b15d8b2250 (git) Affected: 08450ea98ae98d5a35145b675b76db616046ea11 , < 84353386762a0a16dd444ead76c012e167d89b41 (git) Affected: 08450ea98ae98d5a35145b675b76db616046ea11 , < 3051a77a09dfe3022aa012071346937fdf059033 (git) Affected: 893096a7e5fd61cb666b4ead2fa69324e1f2aade (git) Affected: 6.1.45 , < 6.1.140 (semver) Affected: 6.4.10 , < 6.5 (semver) |
|
| Linux | Linux |
Affected:
6.5
Unaffected: 0 , < 6.5 (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.85 , ≤ 6.6.* (semver) Unaffected: 6.11.11 , ≤ 6.11.* (semver) Unaffected: 6.12.2 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:03.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7fd784d7c6a1bd927a23e0d06f09a776ee3889b",
"status": "affected",
"version": "421e02bda0570eeb11636544fe97ec3097d1bb92",
"versionType": "git"
},
{
"lessThan": "7f306c651feab2f3689185f60b94e72b573255db",
"status": "affected",
"version": "08450ea98ae98d5a35145b675b76db616046ea11",
"versionType": "git"
},
{
"lessThan": "bf54a7660fc8d2166f41ff1d67a643b15d8b2250",
"status": "affected",
"version": "08450ea98ae98d5a35145b675b76db616046ea11",
"versionType": "git"
},
{
"lessThan": "84353386762a0a16dd444ead76c012e167d89b41",
"status": "affected",
"version": "08450ea98ae98d5a35145b675b76db616046ea11",
"versionType": "git"
},
{
"lessThan": "3051a77a09dfe3022aa012071346937fdf059033",
"status": "affected",
"version": "08450ea98ae98d5a35145b675b76db616046ea11",
"versionType": "git"
},
{
"status": "affected",
"version": "893096a7e5fd61cb666b4ead2fa69324e1f2aade",
"versionType": "git"
},
{
"lessThan": "6.1.140",
"status": "affected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThan": "6.5",
"status": "affected",
"version": "6.4.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.85",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix receive ring space parameters when XDP is active\n\nThe MTU setting at the time an XDP multi-buffer is attached\ndetermines whether the aggregation ring will be used and the\nrx_skb_func handler. This is done in bnxt_set_rx_skb_mode().\n\nIf the MTU is later changed, the aggregation ring setting may need\nto be changed and it may become out-of-sync with the settings\ninitially done in bnxt_set_rx_skb_mode(). This may result in\nrandom memory corruption and crashes as the HW may DMA data larger\nthan the allocated buffer size, such as:\n\nBUG: kernel NULL pointer dereference, address: 00000000000003c0\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1\nHardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021\nRIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]\nCode: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 \u003c0f\u003e b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f\nRSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202\nRAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff\nRDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380\nRBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf\nR10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980\nR13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990\nFS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]\n\nTo address the issue, we now call bnxt_set_rx_skb_mode() within\nbnxt_change_mtu() to properly set the AGG rings configuration and\nupdate rx_skb_func based on the new MTU value.\nAdditionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of\nbnxt_set_rx_skb_mode() to make sure it gets set or cleared based on\nthe current MTU."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:55:26.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7fd784d7c6a1bd927a23e0d06f09a776ee3889b"
},
{
"url": "https://git.kernel.org/stable/c/7f306c651feab2f3689185f60b94e72b573255db"
},
{
"url": "https://git.kernel.org/stable/c/bf54a7660fc8d2166f41ff1d67a643b15d8b2250"
},
{
"url": "https://git.kernel.org/stable/c/84353386762a0a16dd444ead76c012e167d89b41"
},
{
"url": "https://git.kernel.org/stable/c/3051a77a09dfe3022aa012071346937fdf059033"
}
],
"title": "bnxt_en: Fix receive ring space parameters when XDP is active",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53209",
"datePublished": "2024-12-27T13:49:55.269Z",
"dateReserved": "2024-11-19T17:17:25.020Z",
"dateUpdated": "2026-05-23T15:55:26.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57945 (GCVE-0-2024-57945)
Vulnerability from cvelistv5 – Published: 2025-01-21 12:18 – Updated: 2026-06-01 16:04
VLAI
EPSS
Title
riscv: mm: Fix the out of bound issue of vmemmap address
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: mm: Fix the out of bound issue of vmemmap address
In sparse vmemmap model, the virtual address of vmemmap is calculated as:
((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).
And the struct page's va can be calculated with an offset:
(vmemmap + (pfn)).
However, when initializing struct pages, kernel actually starts from the
first page from the same section that phys_ram_base belongs to. If the
first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then
we get an va below VMEMMAP_START when calculating va for it's struct page.
For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the
first page in the same section is actually pfn 0x80000. During
init_unavailable_range(), we will initialize struct page for pfn 0x80000
with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is
below VMEMMAP_START as well as PCI_IO_END.
This commit fixes this bug by introducing a new variable
'vmemmap_start_pfn' which is aligned with memory section size and using
it to calculate vmemmap address instead of phys_ram_base.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8af1c121b0102041809bc137ec600d1865eaeedd , < 04350304428063da6a55a8a4597d409dc69148b2
(git)
Affected: 8310080799b40fd9f2a8b808c657269678c149af , < 92f08673d3f1893191323572f60e3c62f2e57c2f (git) Affected: a278d5c60f21aa15d540abb2f2da6e6d795c3e6e , < a4a7ac3d266008018f05fae53060fcb331151a14 (git) Affected: a11dd49dcb9376776193e15641f84fcc1e5980c9 , < d2bd51954ac8377c2f1eb1813e694788998add66 (git) Affected: a11dd49dcb9376776193e15641f84fcc1e5980c9 , < f754f27e98f88428aaf6be6e00f5cbce97f62d4b (git) Affected: 5941a90c55d3bfba732b32208d58d997600b44ef (git) Affected: 2a1728c15ec4f45ed9248ae22f626541c179bfbe (git) Affected: 5.10.212 , < 5.10.258 (semver) Affected: 6.1.81 , < 6.1.140 (semver) Affected: 6.6.21 , < 6.6.72 (semver) Affected: 5.15.151 , < 5.16 (semver) Affected: 6.7.9 , < 6.8 (semver) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.72 , ≤ 6.6.* (semver) Unaffected: 6.12.10 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:32:46.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/page.h",
"arch/riscv/include/asm/pgtable.h",
"arch/riscv/mm/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04350304428063da6a55a8a4597d409dc69148b2",
"status": "affected",
"version": "8af1c121b0102041809bc137ec600d1865eaeedd",
"versionType": "git"
},
{
"lessThan": "92f08673d3f1893191323572f60e3c62f2e57c2f",
"status": "affected",
"version": "8310080799b40fd9f2a8b808c657269678c149af",
"versionType": "git"
},
{
"lessThan": "a4a7ac3d266008018f05fae53060fcb331151a14",
"status": "affected",
"version": "a278d5c60f21aa15d540abb2f2da6e6d795c3e6e",
"versionType": "git"
},
{
"lessThan": "d2bd51954ac8377c2f1eb1813e694788998add66",
"status": "affected",
"version": "a11dd49dcb9376776193e15641f84fcc1e5980c9",
"versionType": "git"
},
{
"lessThan": "f754f27e98f88428aaf6be6e00f5cbce97f62d4b",
"status": "affected",
"version": "a11dd49dcb9376776193e15641f84fcc1e5980c9",
"versionType": "git"
},
{
"status": "affected",
"version": "5941a90c55d3bfba732b32208d58d997600b44ef",
"versionType": "git"
},
{
"status": "affected",
"version": "2a1728c15ec4f45ed9248ae22f626541c179bfbe",
"versionType": "git"
},
{
"lessThan": "5.10.258",
"status": "affected",
"version": "5.10.212",
"versionType": "semver"
},
{
"lessThan": "6.1.140",
"status": "affected",
"version": "6.1.81",
"versionType": "semver"
},
{
"lessThan": "6.6.72",
"status": "affected",
"version": "6.6.21",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.151",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/include/asm/page.h",
"arch/riscv/include/asm/pgtable.h",
"arch/riscv/mm/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.10.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.72",
"versionStartIncluding": "6.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Fix the out of bound issue of vmemmap address\n\nIn sparse vmemmap model, the virtual address of vmemmap is calculated as:\n((struct page *)VMEMMAP_START - (phys_ram_base \u003e\u003e PAGE_SHIFT)).\nAnd the struct page\u0027s va can be calculated with an offset:\n(vmemmap + (pfn)).\n\nHowever, when initializing struct pages, kernel actually starts from the\nfirst page from the same section that phys_ram_base belongs to. If the\nfirst page\u0027s physical address is not (phys_ram_base \u003e\u003e PAGE_SHIFT), then\nwe get an va below VMEMMAP_START when calculating va for it\u0027s struct page.\n\nFor example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the\nfirst page in the same section is actually pfn 0x80000. During\ninit_unavailable_range(), we will initialize struct page for pfn 0x80000\nwith virtual address ((struct page *)VMEMMAP_START - 0x2000), which is\nbelow VMEMMAP_START as well as PCI_IO_END.\n\nThis commit fixes this bug by introducing a new variable\n\u0027vmemmap_start_pfn\u0027 which is aligned with memory section size and using\nit to calculate vmemmap address instead of phys_ram_base."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:04:57.860Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04350304428063da6a55a8a4597d409dc69148b2"
},
{
"url": "https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f"
},
{
"url": "https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14"
},
{
"url": "https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66"
},
{
"url": "https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b"
}
],
"title": "riscv: mm: Fix the out of bound issue of vmemmap address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57945",
"datePublished": "2025-01-21T12:18:12.548Z",
"dateReserved": "2025-01-19T11:50:08.380Z",
"dateUpdated": "2026-06-01T16:04:57.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21645 (GCVE-0-2025-21645)
Vulnerability from cvelistv5 – Published: 2025-01-19 10:18 – Updated: 2026-05-23 15:56
VLAI
EPSS
Title
platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it
Wakeup for IRQ1 should be disabled only in cases where i8042 had
actually enabled it, otherwise "wake_depth" for this IRQ will try to
drop below zero and there will be an unpleasant WARN() logged:
kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug
kernel: ------------[ cut here ]------------
kernel: Unbalanced IRQ 1 wake disable
kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0
The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops
which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and
.poweroff handlers. i8042_pm_suspend(), however, is only set as
the .suspend handler.
Fix the issue by call PMC suspend handler only from the same set of
dev_pm_ops handlers as i8042_pm_suspend(), which currently means just
the .suspend handler.
To reproduce this issue try hibernating (S4) the machine after a fresh boot
without putting it into s2idle first.
[ij: edited the commit message.]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
72e5a83b7c8401856cc3732150af24e43726717a , < ab47d72b736e78d3c2370b26e0bfc46eb0918391
(git)
Affected: 8e60615e8932167057b363c11a7835da7f007106 , < 5cc621085e2b7a9b1905a98f8e5a86bb4aea2016 (git) Affected: 8e60615e8932167057b363c11a7835da7f007106 , < b25778c87a6bce40c31e92364f08aa6240309e25 (git) Affected: 8e60615e8932167057b363c11a7835da7f007106 , < dd410d784402c5775f66faf8b624e85e41c38aaf (git) Affected: 3fc9dc0340e0b5df8059313537b55f82c1e84e94 (git) Affected: 6.1.11 , < 6.1.140 (semver) Affected: 5.15.95 , < 5.16 (semver) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.72 , ≤ 6.6.* (semver) Unaffected: 6.12.10 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:35:40.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc/pmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab47d72b736e78d3c2370b26e0bfc46eb0918391",
"status": "affected",
"version": "72e5a83b7c8401856cc3732150af24e43726717a",
"versionType": "git"
},
{
"lessThan": "5cc621085e2b7a9b1905a98f8e5a86bb4aea2016",
"status": "affected",
"version": "8e60615e8932167057b363c11a7835da7f007106",
"versionType": "git"
},
{
"lessThan": "b25778c87a6bce40c31e92364f08aa6240309e25",
"status": "affected",
"version": "8e60615e8932167057b363c11a7835da7f007106",
"versionType": "git"
},
{
"lessThan": "dd410d784402c5775f66faf8b624e85e41c38aaf",
"status": "affected",
"version": "8e60615e8932167057b363c11a7835da7f007106",
"versionType": "git"
},
{
"status": "affected",
"version": "3fc9dc0340e0b5df8059313537b55f82c1e84e94",
"versionType": "git"
},
{
"lessThan": "6.1.140",
"status": "affected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.95",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc/pmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.72",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.10",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.95",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it\n\nWakeup for IRQ1 should be disabled only in cases where i8042 had\nactually enabled it, otherwise \"wake_depth\" for this IRQ will try to\ndrop below zero and there will be an unpleasant WARN() logged:\n\nkernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug\nkernel: ------------[ cut here ]------------\nkernel: Unbalanced IRQ 1 wake disable\nkernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0\n\nThe PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops\nwhich sets amd_pmc_suspend_handler() to the .suspend, .freeze, and\n.poweroff handlers. i8042_pm_suspend(), however, is only set as\nthe .suspend handler.\n\nFix the issue by call PMC suspend handler only from the same set of\ndev_pm_ops handlers as i8042_pm_suspend(), which currently means just\nthe .suspend handler.\n\nTo reproduce this issue try hibernating (S4) the machine after a fresh boot\nwithout putting it into s2idle first.\n\n[ij: edited the commit message.]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:56:45.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab47d72b736e78d3c2370b26e0bfc46eb0918391"
},
{
"url": "https://git.kernel.org/stable/c/5cc621085e2b7a9b1905a98f8e5a86bb4aea2016"
},
{
"url": "https://git.kernel.org/stable/c/b25778c87a6bce40c31e92364f08aa6240309e25"
},
{
"url": "https://git.kernel.org/stable/c/dd410d784402c5775f66faf8b624e85e41c38aaf"
}
],
"title": "platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21645",
"datePublished": "2025-01-19T10:18:01.556Z",
"dateReserved": "2024-12-29T08:45:45.728Z",
"dateUpdated": "2026-05-23T15:56:45.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21839 (GCVE-0-2025-21839)
Vulnerability from cvelistv5 – Published: 2025-03-07 09:09 – Updated: 2026-05-11 21:07
VLAI
EPSS
Title
KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop
Move the conditional loading of hardware DR6 with the guest's DR6 value
out of the core .vcpu_run() loop to fix a bug where KVM can load hardware
with a stale vcpu->arch.dr6.
When the guest accesses a DR and host userspace isn't debugging the guest,
KVM disables DR interception and loads the guest's values into hardware on
VM-Enter and saves them on VM-Exit. This allows the guest to access DRs
at will, e.g. so that a sequence of DR accesses to configure a breakpoint
only generates one VM-Exit.
For DR0-DR3, the logic/behavior is identical between VMX and SVM, and also
identical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest)
and KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading
DR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop.
But for DR6, the guest's value doesn't need to be loaded into hardware for
KVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas
VMX requires software to manually load the guest value, and so loading the
guest's value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done
_inside_ the core run loop.
Unfortunately, saving the guest values on VM-Exit is initiated by common
x86, again outside of the core run loop. If the guest modifies DR6 (in
hardware, when DR interception is disabled), and then the next VM-Exit is
a fastpath VM-Exit, KVM will reload hardware DR6 with vcpu->arch.dr6 and
clobber the guest's actual value.
The bug shows up primarily with nested VMX because KVM handles the VMX
preemption timer in the fastpath, and the window between hardware DR6
being modified (in guest context) and DR6 being read by guest software is
orders of magnitude larger in a nested setup. E.g. in non-nested, the
VMX preemption timer would need to fire precisely between #DB injection
and the #DB handler's read of DR6, whereas with a KVM-on-KVM setup, the
window where hardware DR6 is "dirty" extends all the way from L1 writing
DR6 to VMRESUME (in L1).
L1's view:
==========
<L1 disables DR interception>
CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0
A: L1 Writes DR6
CPU 0/KVM-7289 [023] d.... 2925.640963: <hack>: Set DRs, DR6 = 0xffff0ff1
B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec
D: L1 reads DR6, arch.dr6 = 0
CPU 0/KVM-7289 [023] d.... 2925.640969: <hack>: Sync DRs, DR6 = 0xffff0ff0
CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0
L2 reads DR6, L1 disables DR interception
CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216
CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0
CPU 0/KVM-7289 [023] d.... 2925.640983: <hack>: Set DRs, DR6 = 0xffff0ff0
L2 detects failure
CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT
L1 reads DR6 (confirms failure)
CPU 0/KVM-7289 [023] d.... 2925.640990: <hack>: Sync DRs, DR6 = 0xffff0ff0
L0's view:
==========
L2 reads DR6, arch.dr6 = 0
CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216
CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216
L2 => L1 nested VM-Exit
CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216
CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23
CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD
CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23
CPU 23/KVM-5046 [001] d.... 3410.
---truncated---
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d67668e9dd76d98136048935723947156737932b , < 9efb2b99b96c86664bbdbdd2cdb354ac9627eb20
(git)
Affected: d67668e9dd76d98136048935723947156737932b , < 93eeb6df1605b3a24f38afdba7ab903ba6b64133 (git) Affected: d67668e9dd76d98136048935723947156737932b , < a1723e9c53fe6431415be19302a56543daf503f5 (git) Affected: d67668e9dd76d98136048935723947156737932b , < 4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55 (git) Affected: d67668e9dd76d98136048935723947156737932b , < d456de38d9eb753a4e9fde053c18d4ef8e485339 (git) Affected: d67668e9dd76d98136048935723947156737932b , < c2fee09fc167c74a64adb08656cb993ea475197e (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.15.182 , ≤ 5.15.* (semver) Unaffected: 6.1.138 , ≤ 6.1.* (semver) Unaffected: 6.6.90 , ≤ 6.6.* (semver) Unaffected: 6.12.16 , ≤ 6.12.* (semver) Unaffected: 6.13.4 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:37:57.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm-x86-ops.h",
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/vmx/main.c",
"arch/x86/kvm/vmx/vmx.c",
"arch/x86/kvm/vmx/x86_ops.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9efb2b99b96c86664bbdbdd2cdb354ac9627eb20",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "93eeb6df1605b3a24f38afdba7ab903ba6b64133",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "a1723e9c53fe6431415be19302a56543daf503f5",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "d456de38d9eb753a4e9fde053c18d4ef8e485339",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
},
{
"lessThan": "c2fee09fc167c74a64adb08656cb993ea475197e",
"status": "affected",
"version": "d67668e9dd76d98136048935723947156737932b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm-x86-ops.h",
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/vmx/main.c",
"arch/x86/kvm/vmx/vmx.c",
"arch/x86/kvm/vmx/x86_ops.h",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop\n\nMove the conditional loading of hardware DR6 with the guest\u0027s DR6 value\nout of the core .vcpu_run() loop to fix a bug where KVM can load hardware\nwith a stale vcpu-\u003earch.dr6.\n\nWhen the guest accesses a DR and host userspace isn\u0027t debugging the guest,\nKVM disables DR interception and loads the guest\u0027s values into hardware on\nVM-Enter and saves them on VM-Exit. This allows the guest to access DRs\nat will, e.g. so that a sequence of DR accesses to configure a breakpoint\nonly generates one VM-Exit.\n\nFor DR0-DR3, the logic/behavior is identical between VMX and SVM, and also\nidentical between KVM_DEBUGREG_BP_ENABLED (userspace debugging the guest)\nand KVM_DEBUGREG_WONT_EXIT (guest using DRs), and so KVM handles loading\nDR0-DR3 in common code, _outside_ of the core kvm_x86_ops.vcpu_run() loop.\n\nBut for DR6, the guest\u0027s value doesn\u0027t need to be loaded into hardware for\nKVM_DEBUGREG_BP_ENABLED, and SVM provides a dedicated VMCB field whereas\nVMX requires software to manually load the guest value, and so loading the\nguest\u0027s value into DR6 is handled by {svm,vmx}_vcpu_run(), i.e. is done\n_inside_ the core run loop.\n\nUnfortunately, saving the guest values on VM-Exit is initiated by common\nx86, again outside of the core run loop. If the guest modifies DR6 (in\nhardware, when DR interception is disabled), and then the next VM-Exit is\na fastpath VM-Exit, KVM will reload hardware DR6 with vcpu-\u003earch.dr6 and\nclobber the guest\u0027s actual value.\n\nThe bug shows up primarily with nested VMX because KVM handles the VMX\npreemption timer in the fastpath, and the window between hardware DR6\nbeing modified (in guest context) and DR6 being read by guest software is\norders of magnitude larger in a nested setup. E.g. in non-nested, the\nVMX preemption timer would need to fire precisely between #DB injection\nand the #DB handler\u0027s read of DR6, whereas with a KVM-on-KVM setup, the\nwindow where hardware DR6 is \"dirty\" extends all the way from L1 writing\nDR6 to VMRESUME (in L1).\n\n L1\u0027s view:\n ==========\n \u003cL1 disables DR interception\u003e\n CPU 0/KVM-7289 [023] d.... 2925.640961: kvm_entry: vcpu 0\n A: L1 Writes DR6\n CPU 0/KVM-7289 [023] d.... 2925.640963: \u003chack\u003e: Set DRs, DR6 = 0xffff0ff1\n\n B: CPU 0/KVM-7289 [023] d.... 2925.640967: kvm_exit: vcpu 0 reason EXTERNAL_INTERRUPT intr_info 0x800000ec\n\n D: L1 reads DR6, arch.dr6 = 0\n CPU 0/KVM-7289 [023] d.... 2925.640969: \u003chack\u003e: Sync DRs, DR6 = 0xffff0ff0\n\n CPU 0/KVM-7289 [023] d.... 2925.640976: kvm_entry: vcpu 0\n L2 reads DR6, L1 disables DR interception\n CPU 0/KVM-7289 [023] d.... 2925.640980: kvm_exit: vcpu 0 reason DR_ACCESS info1 0x0000000000000216\n CPU 0/KVM-7289 [023] d.... 2925.640983: kvm_entry: vcpu 0\n\n CPU 0/KVM-7289 [023] d.... 2925.640983: \u003chack\u003e: Set DRs, DR6 = 0xffff0ff0\n\n L2 detects failure\n CPU 0/KVM-7289 [023] d.... 2925.640987: kvm_exit: vcpu 0 reason HLT\n L1 reads DR6 (confirms failure)\n CPU 0/KVM-7289 [023] d.... 2925.640990: \u003chack\u003e: Sync DRs, DR6 = 0xffff0ff0\n\n L0\u0027s view:\n ==========\n L2 reads DR6, arch.dr6 = 0\n CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_exit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit: vcpu 23 reason DR_ACCESS info1 0x0000000000000216\n\n L2 =\u003e L1 nested VM-Exit\n CPU 23/KVM-5046 [001] ..... 3410.005610: kvm_nested_vmexit_inject: reason: DR_ACCESS ext_inf1: 0x0000000000000216\n\n CPU 23/KVM-5046 [001] d.... 3410.005610: kvm_entry: vcpu 23\n CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_exit: vcpu 23 reason VMREAD\n CPU 23/KVM-5046 [001] d.... 3410.005611: kvm_entry: vcpu 23\n CPU 23/KVM-5046 [001] d.... 3410.\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:07:30.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9efb2b99b96c86664bbdbdd2cdb354ac9627eb20"
},
{
"url": "https://git.kernel.org/stable/c/93eeb6df1605b3a24f38afdba7ab903ba6b64133"
},
{
"url": "https://git.kernel.org/stable/c/a1723e9c53fe6431415be19302a56543daf503f5"
},
{
"url": "https://git.kernel.org/stable/c/4eb063de686bfcdfd03a8c801d1bbe87d2d5eb55"
},
{
"url": "https://git.kernel.org/stable/c/d456de38d9eb753a4e9fde053c18d4ef8e485339"
},
{
"url": "https://git.kernel.org/stable/c/c2fee09fc167c74a64adb08656cb993ea475197e"
}
],
"title": "KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21839",
"datePublished": "2025-03-07T09:09:58.220Z",
"dateReserved": "2024-12-29T08:45:45.777Z",
"dateUpdated": "2026-05-11T21:07:30.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21931 (GCVE-0-2025-21931)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-05-23 15:57
VLAI
EPSS
Title
hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio
Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to
be offlined) add page poison checks in do_migrate_range in order to make
offline hwpoisoned page possible by introducing isolate_lru_page and
try_to_unmap for hwpoisoned page. However folio lock must be held before
calling try_to_unmap. Add it to fix this problem.
Warning will be produced if folio is not locked during unmap:
------------[ cut here ]------------
kernel BUG at ./include/linux/swapops.h:400!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41
Tainted: [W]=WARN
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : try_to_unmap_one+0xb08/0xd3c
lr : try_to_unmap_one+0x3dc/0xd3c
Call trace:
try_to_unmap_one+0xb08/0xd3c (P)
try_to_unmap_one+0x3dc/0xd3c (L)
rmap_walk_anon+0xdc/0x1f8
rmap_walk+0x3c/0x58
try_to_unmap+0x88/0x90
unmap_poisoned_folio+0x30/0xa8
do_migrate_range+0x4a0/0x568
offline_pages+0x5a4/0x670
memory_block_action+0x17c/0x374
memory_subsys_offline+0x3c/0x78
device_offline+0xa4/0xd0
state_store+0x8c/0xf0
dev_attr_store+0x18/0x2c
sysfs_kf_write+0x44/0x54
kernfs_fop_write_iter+0x118/0x1a8
vfs_write+0x3a8/0x4bc
ksys_write+0x6c/0xf8
__arm64_sys_write+0x1c/0x28
invoke_syscall+0x44/0x100
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x30/0xd0
el0t_64_sync_handler+0xc8/0xcc
el0t_64_sync+0x198/0x19c
Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000)
---[ end trace 0000000000000000 ]---
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b15c87263a69272423771118c653e9a1d0672caa , < 3926b572fd073491bde13ec42ee08ac1b337bf4d
(git)
Affected: b15c87263a69272423771118c653e9a1d0672caa , < 93df6da64b004f75d307ed08d3f0f1020280d339 (git) Affected: b15c87263a69272423771118c653e9a1d0672caa , < 576a2f4c437c19bec7d05d05b5990f178d2b0f40 (git) Affected: b15c87263a69272423771118c653e9a1d0672caa , < 629dfc6ba5431056701d4e44830f3409b989955a (git) Affected: b15c87263a69272423771118c653e9a1d0672caa , < af288a426c3e3552b62595c6138ec6371a17dbba (git) Affected: 85ef35ab972b7484f41c3bb2bbc79de212e19129 (git) Affected: 060853fdd434ce620dd1dd7619ede834bd33b9d0 (git) Affected: cb1206e85df291fefde27401190329e26996c54c (git) Affected: 2c25071bed4b1f9c4cfb10a7914847d7069794bf (git) Affected: 2c87072a3bf9bbcd747618bb2ccc3cd0da181db6 (git) Affected: a2b977e3d9e4298d28ebe5cfff9e0859b74a7ac7 (git) Affected: 3.16.65 , < 3.17 (semver) Affected: 4.4.170 , < 4.5 (semver) Affected: 4.9.150 , < 4.10 (semver) Affected: 4.14.93 , < 4.15 (semver) Affected: 4.19.15 , < 4.20 (semver) Affected: 4.20.2 , < 4.21 (semver) |
|
| Linux | Linux |
Affected:
5.0
Unaffected: 0 , < 5.0 (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.92 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:27.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory_hotplug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3926b572fd073491bde13ec42ee08ac1b337bf4d",
"status": "affected",
"version": "b15c87263a69272423771118c653e9a1d0672caa",
"versionType": "git"
},
{
"lessThan": "93df6da64b004f75d307ed08d3f0f1020280d339",
"status": "affected",
"version": "b15c87263a69272423771118c653e9a1d0672caa",
"versionType": "git"
},
{
"lessThan": "576a2f4c437c19bec7d05d05b5990f178d2b0f40",
"status": "affected",
"version": "b15c87263a69272423771118c653e9a1d0672caa",
"versionType": "git"
},
{
"lessThan": "629dfc6ba5431056701d4e44830f3409b989955a",
"status": "affected",
"version": "b15c87263a69272423771118c653e9a1d0672caa",
"versionType": "git"
},
{
"lessThan": "af288a426c3e3552b62595c6138ec6371a17dbba",
"status": "affected",
"version": "b15c87263a69272423771118c653e9a1d0672caa",
"versionType": "git"
},
{
"status": "affected",
"version": "85ef35ab972b7484f41c3bb2bbc79de212e19129",
"versionType": "git"
},
{
"status": "affected",
"version": "060853fdd434ce620dd1dd7619ede834bd33b9d0",
"versionType": "git"
},
{
"status": "affected",
"version": "cb1206e85df291fefde27401190329e26996c54c",
"versionType": "git"
},
{
"status": "affected",
"version": "2c25071bed4b1f9c4cfb10a7914847d7069794bf",
"versionType": "git"
},
{
"status": "affected",
"version": "2c87072a3bf9bbcd747618bb2ccc3cd0da181db6",
"versionType": "git"
},
{
"status": "affected",
"version": "a2b977e3d9e4298d28ebe5cfff9e0859b74a7ac7",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.65",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.170",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.150",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.93",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.15",
"versionType": "semver"
},
{
"lessThan": "4.21",
"status": "affected",
"version": "4.20.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory_hotplug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.170",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio\n\nCommit b15c87263a69 (\"hwpoison, memory_hotplug: allow hwpoisoned pages to\nbe offlined) add page poison checks in do_migrate_range in order to make\noffline hwpoisoned page possible by introducing isolate_lru_page and\ntry_to_unmap for hwpoisoned page. However folio lock must be held before\ncalling try_to_unmap. Add it to fix this problem.\n\nWarning will be produced if folio is not locked during unmap:\n\n ------------[ cut here ]------------\n kernel BUG at ./include/linux/swapops.h:400!\n Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n Modules linked in:\n CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41\n Tainted: [W]=WARN\n Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : try_to_unmap_one+0xb08/0xd3c\n lr : try_to_unmap_one+0x3dc/0xd3c\n Call trace:\n try_to_unmap_one+0xb08/0xd3c (P)\n try_to_unmap_one+0x3dc/0xd3c (L)\n rmap_walk_anon+0xdc/0x1f8\n rmap_walk+0x3c/0x58\n try_to_unmap+0x88/0x90\n unmap_poisoned_folio+0x30/0xa8\n do_migrate_range+0x4a0/0x568\n offline_pages+0x5a4/0x670\n memory_block_action+0x17c/0x374\n memory_subsys_offline+0x3c/0x78\n device_offline+0xa4/0xd0\n state_store+0x8c/0xf0\n dev_attr_store+0x18/0x2c\n sysfs_kf_write+0x44/0x54\n kernfs_fop_write_iter+0x118/0x1a8\n vfs_write+0x3a8/0x4bc\n ksys_write+0x6c/0xf8\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x44/0x100\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0xc8/0xcc\n el0t_64_sync+0x198/0x19c\n Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000)\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:27.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3926b572fd073491bde13ec42ee08ac1b337bf4d"
},
{
"url": "https://git.kernel.org/stable/c/93df6da64b004f75d307ed08d3f0f1020280d339"
},
{
"url": "https://git.kernel.org/stable/c/576a2f4c437c19bec7d05d05b5990f178d2b0f40"
},
{
"url": "https://git.kernel.org/stable/c/629dfc6ba5431056701d4e44830f3409b989955a"
},
{
"url": "https://git.kernel.org/stable/c/af288a426c3e3552b62595c6138ec6371a17dbba"
}
],
"title": "hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21931",
"datePublished": "2025-04-01T15:41:01.055Z",
"dateReserved": "2024-12-29T08:45:45.789Z",
"dateUpdated": "2026-05-23T15:57:27.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22062 (GCVE-0-2025-22062)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
sctp: add mutual exclusion in proc_sctp_do_udp_port()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: add mutual exclusion in proc_sctp_do_udp_port()
We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start()
or risk a crash as syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653
Call Trace:
<TASK>
udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181
sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930
proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553
proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601
iter_file_splice_write+0x91c/0x1150 fs/splice.c:738
do_splice_from fs/splice.c:935 [inline]
direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158
splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102
do_splice_direct_actor fs/splice.c:1201 [inline]
do_splice_direct+0x174/0x240 fs/splice.c:1227
do_sendfile+0xafd/0xe50 fs/read_write.c:1368
__do_sys_sendfile64 fs/read_write.c:1429 [inline]
__se_sys_sendfile64 fs/read_write.c:1415 [inline]
__x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
046c052b475e7119b6a30e3483e2888fc606a2f8 , < 65ccb2793da7401772a3ffe85355c831b313c59f
(git)
Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < 386507cb6fb7cdef598ddcb3f0fa37e6ca9e789d (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < b3598f53211ba1025485306de2733bdd241311a3 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < e5178bfc55b3a78000f0f8298e7ade88783ce581 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < efb8cb487be8f4ba6aaef616011d702d6a083ed1 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < d3d7675d77622f6ca1aae14c51f80027b36283f8 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < 10206302af856791fbcc27a33ed3c3eb09b2793d (git) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 5.15.184 , ≤ 5.15.* (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.92 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:45.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65ccb2793da7401772a3ffe85355c831b313c59f",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "386507cb6fb7cdef598ddcb3f0fa37e6ca9e789d",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "b3598f53211ba1025485306de2733bdd241311a3",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "e5178bfc55b3a78000f0f8298e7ade88783ce581",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "efb8cb487be8f4ba6aaef616011d702d6a083ed1",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "d3d7675d77622f6ca1aae14c51f80027b36283f8",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "10206302af856791fbcc27a33ed3c3eb09b2793d",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.184",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.184",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: add mutual exclusion in proc_sctp_do_udp_port()\n\nWe must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start()\nor risk a crash as syzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\n RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653\nCall Trace:\n \u003cTASK\u003e\n udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181\n sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930\n proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553\n proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601\n iter_file_splice_write+0x91c/0x1150 fs/splice.c:738\n do_splice_from fs/splice.c:935 [inline]\n direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158\n splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102\n do_splice_direct_actor fs/splice.c:1201 [inline]\n do_splice_direct+0x174/0x240 fs/splice.c:1227\n do_sendfile+0xafd/0xe50 fs/read_write.c:1368\n __do_sys_sendfile64 fs/read_write.c:1429 [inline]\n __se_sys_sendfile64 fs/read_write.c:1415 [inline]\n __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:54.273Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ccb2793da7401772a3ffe85355c831b313c59f"
},
{
"url": "https://git.kernel.org/stable/c/386507cb6fb7cdef598ddcb3f0fa37e6ca9e789d"
},
{
"url": "https://git.kernel.org/stable/c/b3598f53211ba1025485306de2733bdd241311a3"
},
{
"url": "https://git.kernel.org/stable/c/e5178bfc55b3a78000f0f8298e7ade88783ce581"
},
{
"url": "https://git.kernel.org/stable/c/efb8cb487be8f4ba6aaef616011d702d6a083ed1"
},
{
"url": "https://git.kernel.org/stable/c/d3d7675d77622f6ca1aae14c51f80027b36283f8"
},
{
"url": "https://git.kernel.org/stable/c/10206302af856791fbcc27a33ed3c3eb09b2793d"
}
],
"title": "sctp: add mutual exclusion in proc_sctp_do_udp_port()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22062",
"datePublished": "2025-04-16T14:12:17.605Z",
"dateReserved": "2024-12-29T08:45:45.813Z",
"dateUpdated": "2026-05-11T21:11:54.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37819 (GCVE-0-2025-37819)
Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2026-05-11 21:15
VLAI
EPSS
Title
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
With ACPI in place, gicv2m_get_fwnode() is registered with the pci
subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime
during a PCI host bridge probe. But, the call back is wrongly marked as
__init, causing it to be freed, while being registered with the PCI
subsystem and could trigger:
Unable to handle kernel paging request at virtual address ffff8000816c0400
gicv2m_get_fwnode+0x0/0x58 (P)
pci_set_bus_msi_domain+0x74/0x88
pci_register_host_bridge+0x194/0x548
This is easily reproducible on a Juno board with ACPI boot.
Retain the function for later use.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0644b3daca28dcb320373ae20069c269c9386304 , < 0c241dedc43a036599757cd08f356253fa3e5014
(git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < b63de43af8d215b0499eac28b2caa4439183efc1 (git) Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < f95659affee301464f0d058d528d96b35b452da8 (git) Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < dc0d654eb4179b06d3206e4396d072108b9ba082 (git) Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 2f2803e4b5e4df2b08d378deaab78b1681ef9b30 (git) Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 3939d6f29d34cdb60e3f68b76e39e00a964a1d51 (git) Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 47bee0081b483b077c7560bc5358ad101f89c8ef (git) Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 3318dc299b072a0511d6dfd8367f3304fb6d9827 (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.182 , ≤ 5.15.* (semver) Unaffected: 6.1.138 , ≤ 6.1.* (semver) Unaffected: 6.6.89 , ≤ 6.6.* (semver) Unaffected: 6.12.26 , ≤ 6.12.* (semver) Unaffected: 6.14.5 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:55:52.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v2m.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c241dedc43a036599757cd08f356253fa3e5014",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "b63de43af8d215b0499eac28b2caa4439183efc1",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "f95659affee301464f0d058d528d96b35b452da8",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "dc0d654eb4179b06d3206e4396d072108b9ba082",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "2f2803e4b5e4df2b08d378deaab78b1681ef9b30",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "3939d6f29d34cdb60e3f68b76e39e00a964a1d51",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "47bee0081b483b077c7560bc5358ad101f89c8ef",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
},
{
"lessThan": "3318dc299b072a0511d6dfd8367f3304fb6d9827",
"status": "affected",
"version": "0644b3daca28dcb320373ae20069c269c9386304",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-gic-v2m.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.89",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.26",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.5",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()\n\nWith ACPI in place, gicv2m_get_fwnode() is registered with the pci\nsubsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime\nduring a PCI host bridge probe. But, the call back is wrongly marked as\n__init, causing it to be freed, while being registered with the PCI\nsubsystem and could trigger:\n\n Unable to handle kernel paging request at virtual address ffff8000816c0400\n gicv2m_get_fwnode+0x0/0x58 (P)\n pci_set_bus_msi_domain+0x74/0x88\n pci_register_host_bridge+0x194/0x548\n\nThis is easily reproducible on a Juno board with ACPI boot.\n\nRetain the function for later use."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:15:45.443Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c241dedc43a036599757cd08f356253fa3e5014"
},
{
"url": "https://git.kernel.org/stable/c/b63de43af8d215b0499eac28b2caa4439183efc1"
},
{
"url": "https://git.kernel.org/stable/c/f95659affee301464f0d058d528d96b35b452da8"
},
{
"url": "https://git.kernel.org/stable/c/dc0d654eb4179b06d3206e4396d072108b9ba082"
},
{
"url": "https://git.kernel.org/stable/c/2f2803e4b5e4df2b08d378deaab78b1681ef9b30"
},
{
"url": "https://git.kernel.org/stable/c/3939d6f29d34cdb60e3f68b76e39e00a964a1d51"
},
{
"url": "https://git.kernel.org/stable/c/47bee0081b483b077c7560bc5358ad101f89c8ef"
},
{
"url": "https://git.kernel.org/stable/c/3318dc299b072a0511d6dfd8367f3304fb6d9827"
}
],
"title": "irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37819",
"datePublished": "2025-05-08T06:26:13.975Z",
"dateReserved": "2025-04-16T04:51:23.947Z",
"dateUpdated": "2026-05-11T21:15:45.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37890 (GCVE-0-2025-37890)
Vulnerability from cvelistv5 – Published: 2025-05-16 13:01 – Updated: 2026-05-11 21:17
VLAI
EPSS
Title
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).
This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 273bbcfa53541cde38b2003ad88a59b770306421
(git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < e0cf8ee23e1915431f262a7b2dee0c7a7d699af0 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < e3e949a39a91d1f829a4890e7dfe9417ac72e4d0 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 8df7d37d626430035b413b97cee18396b3450bef (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 6082a87af4c52f58150d40dec1716011d871ac21 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 2e7093c7a8aba5d4f8809f271488e5babe75e202 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < ac39fd4a757584d78ed062d4f6fd913f83bd98b5 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 141d34391abbb315d68556b7c67ad97885407547 (git) |
|
| Linux | Linux |
Affected:
5.0
Unaffected: 0 , < 5.0 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.182 , ≤ 5.15.* (semver) Unaffected: 6.1.138 , ≤ 6.1.* (semver) Unaffected: 6.6.90 , ≤ 6.6.* (semver) Unaffected: 6.12.28 , ≤ 6.12.* (semver) Unaffected: 6.14.6 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:02.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "273bbcfa53541cde38b2003ad88a59b770306421",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "e0cf8ee23e1915431f262a7b2dee0c7a7d699af0",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "e3e949a39a91d1f829a4890e7dfe9417ac72e4d0",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "8df7d37d626430035b413b97cee18396b3450bef",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "6082a87af4c52f58150d40dec1716011d871ac21",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "2e7093c7a8aba5d4f8809f271488e5babe75e202",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "ac39fd4a757584d78ed062d4f6fd913f83bd98b5",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
},
{
"lessThan": "141d34391abbb315d68556b7c67ad97885407547",
"status": "affected",
"version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl-\u003eqdisc-\u003eq.qlen == 0 guarantees that it hasn\u0027t inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\n\nThis patch checks the n_active class variable to make sure that the code\nwon\u0027t insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:06.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421"
},
{
"url": "https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0"
},
{
"url": "https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0"
},
{
"url": "https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef"
},
{
"url": "https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21"
},
{
"url": "https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202"
},
{
"url": "https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5"
},
{
"url": "https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547"
}
],
"title": "net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37890",
"datePublished": "2025-05-16T13:01:12.798Z",
"dateReserved": "2025-04-16T04:51:23.963Z",
"dateUpdated": "2026-05-11T21:17:06.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37897 (GCVE-0-2025-37897)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:21 – Updated: 2026-05-11 21:17
VLAI
EPSS
Title
wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
plfxlc_mac_release() asserts that mac->lock is held. This assertion is
incorrect, because even if it was possible, it would not be the valid
behaviour. The function is used when probe fails or after the device is
disconnected. In both cases mac->lock can not be held as the driver is
not working with the device at the moment. All functions that use mac->lock
unlock it just after it was held. There is also no need to hold mac->lock
for plfxlc_mac_release() itself, as mac data is not affected, except for
mac->flags, which is modified atomically.
This bug leads to the following warning:
================================================================
WARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0
Modules linked in:
CPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106
Call Trace:
<TASK>
probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694
usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396
really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
__driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
driver_probe_device+0x50/0x420 drivers/base/dd.c:815
__device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429
__device_attach+0x359/0x570 drivers/base/dd.c:1015
bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489
device_add+0xb48/0xfd0 drivers/base/core.c:3696
usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165
usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238
usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293
really_probe+0x2ab/0xcb0 drivers/base/dd.c:639
__driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785
driver_probe_device+0x50/0x420 drivers/base/dd.c:815
__device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943
bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429
__device_attach+0x359/0x570 drivers/base/dd.c:1015
bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489
device_add+0xb48/0xfd0 drivers/base/core.c:3696
usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620
hub_port_connect drivers/usb/core/hub.c:5477 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]
port_event drivers/usb/core/hub.c:5773 [inline]
hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855
process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
kthread+0x28d/0x320 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
================================================================
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 , < 93d646911be1e5be20d4f5d6c48359464cef0097
(git)
Affected: 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 , < 36a9a2647810e57e704dde59abdf831380ca9102 (git) Affected: 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 , < 791a2d9e87c411aec0b9b2fb735fd15e48af9de9 (git) Affected: 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 , < 9ecb4af39f80cdda3e57825923243ec11e48be6b (git) Affected: 68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 , < 0fb15ae3b0a9221be01715dac0335647c79f3362 (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.138 , ≤ 6.1.* (semver) Unaffected: 6.6.90 , ≤ 6.6.* (semver) Unaffected: 6.12.28 , ≤ 6.12.* (semver) Unaffected: 6.14.6 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:05.151Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/purelifi/plfxlc/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d646911be1e5be20d4f5d6c48359464cef0097",
"status": "affected",
"version": "68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124",
"versionType": "git"
},
{
"lessThan": "36a9a2647810e57e704dde59abdf831380ca9102",
"status": "affected",
"version": "68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124",
"versionType": "git"
},
{
"lessThan": "791a2d9e87c411aec0b9b2fb735fd15e48af9de9",
"status": "affected",
"version": "68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124",
"versionType": "git"
},
{
"lessThan": "9ecb4af39f80cdda3e57825923243ec11e48be6b",
"status": "affected",
"version": "68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124",
"versionType": "git"
},
{
"lessThan": "0fb15ae3b0a9221be01715dac0335647c79f3362",
"status": "affected",
"version": "68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/purelifi/plfxlc/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: plfxlc: Remove erroneous assert in plfxlc_mac_release\n\nplfxlc_mac_release() asserts that mac-\u003elock is held. This assertion is\nincorrect, because even if it was possible, it would not be the valid\nbehaviour. The function is used when probe fails or after the device is\ndisconnected. In both cases mac-\u003elock can not be held as the driver is\nnot working with the device at the moment. All functions that use mac-\u003elock\nunlock it just after it was held. There is also no need to hold mac-\u003elock\nfor plfxlc_mac_release() itself, as mac data is not affected, except for\nmac-\u003eflags, which is modified atomically.\n\nThis bug leads to the following warning:\n================================================================\nWARNING: CPU: 0 PID: 127 at drivers/net/wireless/purelifi/plfxlc/mac.c:106 plfxlc_mac_release+0x7d/0xa0\nModules linked in:\nCPU: 0 PID: 127 Comm: kworker/0:2 Not tainted 6.1.124-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:plfxlc_mac_release+0x7d/0xa0 drivers/net/wireless/purelifi/plfxlc/mac.c:106\nCall Trace:\n \u003cTASK\u003e\n probe+0x941/0xbd0 drivers/net/wireless/purelifi/plfxlc/usb.c:694\n usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396\n really_probe+0x2ab/0xcb0 drivers/base/dd.c:639\n __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785\n driver_probe_device+0x50/0x420 drivers/base/dd.c:815\n __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943\n bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429\n __device_attach+0x359/0x570 drivers/base/dd.c:1015\n bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489\n device_add+0xb48/0xfd0 drivers/base/core.c:3696\n usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165\n usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238\n usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293\n really_probe+0x2ab/0xcb0 drivers/base/dd.c:639\n __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:785\n driver_probe_device+0x50/0x420 drivers/base/dd.c:815\n __device_attach_driver+0x2cf/0x510 drivers/base/dd.c:943\n bus_for_each_drv+0x183/0x200 drivers/base/bus.c:429\n __device_attach+0x359/0x570 drivers/base/dd.c:1015\n bus_probe_device+0xba/0x1e0 drivers/base/bus.c:489\n device_add+0xb48/0xfd0 drivers/base/core.c:3696\n usb_new_device+0xbdd/0x18f0 drivers/usb/core/hub.c:2620\n hub_port_connect drivers/usb/core/hub.c:5477 [inline]\n hub_port_connect_change drivers/usb/core/hub.c:5617 [inline]\n port_event drivers/usb/core/hub.c:5773 [inline]\n hub_event+0x2efe/0x5730 drivers/usb/core/hub.c:5855\n process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292\n worker_thread+0xa47/0x1200 kernel/workqueue.c:2439\n kthread+0x28d/0x320 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n \u003c/TASK\u003e\n================================================================\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:14.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d646911be1e5be20d4f5d6c48359464cef0097"
},
{
"url": "https://git.kernel.org/stable/c/36a9a2647810e57e704dde59abdf831380ca9102"
},
{
"url": "https://git.kernel.org/stable/c/791a2d9e87c411aec0b9b2fb735fd15e48af9de9"
},
{
"url": "https://git.kernel.org/stable/c/9ecb4af39f80cdda3e57825923243ec11e48be6b"
},
{
"url": "https://git.kernel.org/stable/c/0fb15ae3b0a9221be01715dac0335647c79f3362"
}
],
"title": "wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37897",
"datePublished": "2025-05-20T15:21:33.372Z",
"dateReserved": "2025-04-16T04:51:23.964Z",
"dateUpdated": "2026-05-11T21:17:14.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37901 (GCVE-0-2025-37901)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:21 – Updated: 2026-05-11 21:17
VLAI
EPSS
Title
irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not
have a corresponding MPM pin and should not be handled inside the MPM
driver. The IRQ domain hierarchy is always applied, so it's required to
explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks
these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but
irq-qcom-mpm is currently missing the check. This is causing crashes when
setting up interrupts for non-wake GPIOs:
root@rb1:~# gpiomon -c gpiochip1 10
irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1
Unable to handle kernel paging request at virtual address ffff8000a1dc3820
Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT)
pc : mpm_set_type+0x80/0xcc
lr : mpm_set_type+0x5c/0xcc
Call trace:
mpm_set_type+0x80/0xcc (P)
qcom_mpm_set_type+0x64/0x158
irq_chip_set_type_parent+0x20/0x38
msm_gpio_irq_set_type+0x50/0x530
__irq_set_trigger+0x60/0x184
__setup_irq+0x304/0x6bc
request_threaded_irq+0xc8/0x19c
edge_detector_setup+0x260/0x364
linereq_create+0x420/0x5a8
gpio_ioctl+0x2d4/0x6c0
Fix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that
MPM is removed entirely from the hierarchy for non-wake GPIOs.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a6199bb514d8a63f61c2a22c1f912376e14d0fb2 , < 45aced97f01d5ab14c8a2a60f6748f18c501c3f5
(git)
Affected: a6199bb514d8a63f61c2a22c1f912376e14d0fb2 , < dfbaecf7e38f5e9bfa5e47a1e525ffbb58bab8cf (git) Affected: a6199bb514d8a63f61c2a22c1f912376e14d0fb2 , < f102342360950b56959e5fff4a874ea88ae13758 (git) Affected: a6199bb514d8a63f61c2a22c1f912376e14d0fb2 , < d5c10448f411a925dd59005785cb971f0626e032 (git) Affected: a6199bb514d8a63f61c2a22c1f912376e14d0fb2 , < 38a05c0b87833f5b188ae43b428b1f792df2b384 (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.138 , ≤ 6.1.* (semver) Unaffected: 6.6.90 , ≤ 6.6.* (semver) Unaffected: 6.12.28 , ≤ 6.12.* (semver) Unaffected: 6.14.6 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:06.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-qcom-mpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45aced97f01d5ab14c8a2a60f6748f18c501c3f5",
"status": "affected",
"version": "a6199bb514d8a63f61c2a22c1f912376e14d0fb2",
"versionType": "git"
},
{
"lessThan": "dfbaecf7e38f5e9bfa5e47a1e525ffbb58bab8cf",
"status": "affected",
"version": "a6199bb514d8a63f61c2a22c1f912376e14d0fb2",
"versionType": "git"
},
{
"lessThan": "f102342360950b56959e5fff4a874ea88ae13758",
"status": "affected",
"version": "a6199bb514d8a63f61c2a22c1f912376e14d0fb2",
"versionType": "git"
},
{
"lessThan": "d5c10448f411a925dd59005785cb971f0626e032",
"status": "affected",
"version": "a6199bb514d8a63f61c2a22c1f912376e14d0fb2",
"versionType": "git"
},
{
"lessThan": "38a05c0b87833f5b188ae43b428b1f792df2b384",
"status": "affected",
"version": "a6199bb514d8a63f61c2a22c1f912376e14d0fb2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-qcom-mpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs\n\nOn Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not\nhave a corresponding MPM pin and should not be handled inside the MPM\ndriver. The IRQ domain hierarchy is always applied, so it\u0027s required to\nexplicitly disconnect the hierarchy for those. The pinctrl-msm driver marks\nthese with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but\nirq-qcom-mpm is currently missing the check. This is causing crashes when\nsetting up interrupts for non-wake GPIOs:\n\n root@rb1:~# gpiomon -c gpiochip1 10\n irq: IRQ159: trimming hierarchy from :soc@0:interrupt-controller@f200000-1\n Unable to handle kernel paging request at virtual address ffff8000a1dc3820\n Hardware name: Qualcomm Technologies, Inc. Robotics RB1 (DT)\n pc : mpm_set_type+0x80/0xcc\n lr : mpm_set_type+0x5c/0xcc\n Call trace:\n mpm_set_type+0x80/0xcc (P)\n qcom_mpm_set_type+0x64/0x158\n irq_chip_set_type_parent+0x20/0x38\n msm_gpio_irq_set_type+0x50/0x530\n __irq_set_trigger+0x60/0x184\n __setup_irq+0x304/0x6bc\n request_threaded_irq+0xc8/0x19c\n edge_detector_setup+0x260/0x364\n linereq_create+0x420/0x5a8\n gpio_ioctl+0x2d4/0x6c0\n\nFix this by copying the check for GPIO_NO_WAKE_IRQ from qcom-pdc.c, so that\nMPM is removed entirely from the hierarchy for non-wake GPIOs."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:19.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45aced97f01d5ab14c8a2a60f6748f18c501c3f5"
},
{
"url": "https://git.kernel.org/stable/c/dfbaecf7e38f5e9bfa5e47a1e525ffbb58bab8cf"
},
{
"url": "https://git.kernel.org/stable/c/f102342360950b56959e5fff4a874ea88ae13758"
},
{
"url": "https://git.kernel.org/stable/c/d5c10448f411a925dd59005785cb971f0626e032"
},
{
"url": "https://git.kernel.org/stable/c/38a05c0b87833f5b188ae43b428b1f792df2b384"
}
],
"title": "irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37901",
"datePublished": "2025-05-20T15:21:36.062Z",
"dateReserved": "2025-04-16T04:51:23.965Z",
"dateUpdated": "2026-05-11T21:17:19.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…