Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0697
Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian LTS bullseye versions ant\u00e9rieures \u00e0 6.1.140-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-36903",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36903"
},
{
"name": "CVE-2024-53203",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53203"
},
{
"name": "CVE-2025-37936",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37936"
},
{
"name": "CVE-2025-21931",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21931"
},
{
"name": "CVE-2024-46751",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-46751"
},
{
"name": "CVE-2024-26807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26807"
},
{
"name": "CVE-2024-26783",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26783"
},
{
"name": "CVE-2025-37917",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37917"
},
{
"name": "CVE-2025-37961",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37961"
},
{
"name": "CVE-2025-37953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37953"
},
{
"name": "CVE-2025-37819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37819"
},
{
"name": "CVE-2025-21839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21839"
},
{
"name": "CVE-2025-38023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38023"
},
{
"name": "CVE-2025-37924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37924"
},
{
"name": "CVE-2025-37927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37927"
},
{
"name": "CVE-2025-37897",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37897"
},
{
"name": "CVE-2025-37911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37911"
},
{
"name": "CVE-2025-37930",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37930"
},
{
"name": "CVE-2025-38027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38027"
},
{
"name": "CVE-2025-38015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38015"
},
{
"name": "CVE-2025-37912",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37912"
},
{
"name": "CVE-2024-57945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57945"
},
{
"name": "CVE-2025-38095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38095"
},
{
"name": "CVE-2025-38024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38024"
},
{
"name": "CVE-2025-38005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38005"
},
{
"name": "CVE-2025-21645",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21645"
},
{
"name": "CVE-2025-37969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37969"
},
{
"name": "CVE-2025-37921",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37921"
},
{
"name": "CVE-2025-38007",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38007"
},
{
"name": "CVE-2025-37923",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37923"
},
{
"name": "CVE-2025-22062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22062"
},
{
"name": "CVE-2025-37964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37964"
},
{
"name": "CVE-2025-37915",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37915"
},
{
"name": "CVE-2025-37903",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37903"
},
{
"name": "CVE-2024-35790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
},
{
"name": "CVE-2025-38018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38018"
},
{
"name": "CVE-2025-37991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37991"
},
{
"name": "CVE-2024-36927",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36927"
},
{
"name": "CVE-2024-43840",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43840"
},
{
"name": "CVE-2025-37962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37962"
},
{
"name": "CVE-2025-37901",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37901"
},
{
"name": "CVE-2024-28956",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28956"
},
{
"name": "CVE-2025-37972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37972"
},
{
"name": "CVE-2025-37970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37970"
},
{
"name": "CVE-2025-37905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37905"
},
{
"name": "CVE-2025-38094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38094"
},
{
"name": "CVE-2025-37967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37967"
},
{
"name": "CVE-2025-37949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37949"
},
{
"name": "CVE-2024-26618",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26618"
},
{
"name": "CVE-2025-37951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37951"
},
{
"name": "CVE-2025-37947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37947"
},
{
"name": "CVE-2025-37992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37992"
},
{
"name": "CVE-2025-37932",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37932"
},
{
"name": "CVE-2025-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37890"
},
{
"name": "CVE-2025-37914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37914"
},
{
"name": "CVE-2025-37928",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37928"
},
{
"name": "CVE-2025-37998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37998"
},
{
"name": "CVE-2025-38177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38177"
},
{
"name": "CVE-2025-38009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38009"
},
{
"name": "CVE-2025-37994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37994"
},
{
"name": "CVE-2025-37995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37995"
},
{
"name": "CVE-2025-37997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37997"
},
{
"name": "CVE-2025-37963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37963"
},
{
"name": "CVE-2025-37990",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37990"
},
{
"name": "CVE-2025-37948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37948"
},
{
"name": "CVE-2025-37929",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37929"
},
{
"name": "CVE-2025-37913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37913"
},
{
"name": "CVE-2025-37959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37959"
},
{
"name": "CVE-2025-37909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37909"
},
{
"name": "CVE-2024-53209",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53209"
},
{
"name": "CVE-2025-38020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38020"
}
],
"initial_release_date": "2025-08-14T00:00:00",
"last_revision_date": "2025-08-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0697",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2025-08-13",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS DLA-4271-1",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
]
}
CVE-2025-37949 (GCVE-0-2025-37949)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
xenbus: Use kref to track req lifetime
Summary
In the Linux kernel, the following vulnerability has been resolved:
xenbus: Use kref to track req lifetime
Marek reported seeing a NULL pointer fault in the xenbus_thread
callstack:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: e030:__wake_up_common+0x4c/0x180
Call Trace:
<TASK>
__wake_up_common_lock+0x82/0xd0
process_msg+0x18e/0x2f0
xenbus_thread+0x165/0x1c0
process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a
thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems
like it was xs_wake_up() in this case.
It seems like req may have woken up the xs_wait_for_reply(), which
kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed
data.
Linux Device Drivers 2nd edition states:
"Normally, a wake_up call can cause an immediate reschedule to happen,
meaning that other processes might run before wake_up returns."
... which would match the behaviour observed.
Change to keeping two krefs on each request. One for the caller, and
one for xenbus_thread. Each will kref_put() when finished, and the last
will free it.
This use of kref matches the description in
Documentation/core-api/kref.rst
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fd8aa9095a95c02dcc35540a263267c29b8fda9d , < 0e94a246bb6d9538010b6c02d2b1d4717a97b2e5
(git)
Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < f1bcac367bc95631afbb918348f30dec887d0e1b (git) Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < 4d260a5558df4650eb87bc41b2c9ac2d6b2ba447 (git) Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < 8b02f85e84dc6f7c150cef40ddb69af5a25659e5 (git) Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < cbfaf46b88a4c01b64c4186cdccd766c19ae644c (git) Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < 8e9c8a0393b5f85f1820c565ab8105660f4e8f92 (git) Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < 2466b0f66795c3c426cacc8998499f38031dbb59 (git) Affected: fd8aa9095a95c02dcc35540a263267c29b8fda9d , < 1f0304dfd9d217c2f8b04a9ef4b3258a66eedd27 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.183 , ≤ 5.15.* (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:40.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/xenbus/xenbus.h",
"drivers/xen/xenbus/xenbus_comms.c",
"drivers/xen/xenbus/xenbus_dev_frontend.c",
"drivers/xen/xenbus/xenbus_xs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e94a246bb6d9538010b6c02d2b1d4717a97b2e5",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "f1bcac367bc95631afbb918348f30dec887d0e1b",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "4d260a5558df4650eb87bc41b2c9ac2d6b2ba447",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "8b02f85e84dc6f7c150cef40ddb69af5a25659e5",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "cbfaf46b88a4c01b64c4186cdccd766c19ae644c",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "8e9c8a0393b5f85f1820c565ab8105660f4e8f92",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "2466b0f66795c3c426cacc8998499f38031dbb59",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
},
{
"lessThan": "1f0304dfd9d217c2f8b04a9ef4b3258a66eedd27",
"status": "affected",
"version": "fd8aa9095a95c02dcc35540a263267c29b8fda9d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/xenbus/xenbus.h",
"drivers/xen/xenbus/xenbus_comms.c",
"drivers/xen/xenbus/xenbus_dev_frontend.c",
"drivers/xen/xenbus/xenbus_xs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.183",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.183",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxenbus: Use kref to track req lifetime\n\nMarek reported seeing a NULL pointer fault in the xenbus_thread\ncallstack:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nRIP: e030:__wake_up_common+0x4c/0x180\nCall Trace:\n \u003cTASK\u003e\n __wake_up_common_lock+0x82/0xd0\n process_msg+0x18e/0x2f0\n xenbus_thread+0x165/0x1c0\n\nprocess_msg+0x18e is req-\u003ecb(req). req-\u003ecb is set to xs_wake_up(), a\nthin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems\nlike it was xs_wake_up() in this case.\n\nIt seems like req may have woken up the xs_wait_for_reply(), which\nkfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed\ndata.\n\nLinux Device Drivers 2nd edition states:\n\"Normally, a wake_up call can cause an immediate reschedule to happen,\nmeaning that other processes might run before wake_up returns.\"\n... which would match the behaviour observed.\n\nChange to keeping two krefs on each request. One for the caller, and\none for xenbus_thread. Each will kref_put() when finished, and the last\nwill free it.\n\nThis use of kref matches the description in\nDocumentation/core-api/kref.rst"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:13.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e94a246bb6d9538010b6c02d2b1d4717a97b2e5"
},
{
"url": "https://git.kernel.org/stable/c/f1bcac367bc95631afbb918348f30dec887d0e1b"
},
{
"url": "https://git.kernel.org/stable/c/4d260a5558df4650eb87bc41b2c9ac2d6b2ba447"
},
{
"url": "https://git.kernel.org/stable/c/8b02f85e84dc6f7c150cef40ddb69af5a25659e5"
},
{
"url": "https://git.kernel.org/stable/c/cbfaf46b88a4c01b64c4186cdccd766c19ae644c"
},
{
"url": "https://git.kernel.org/stable/c/8e9c8a0393b5f85f1820c565ab8105660f4e8f92"
},
{
"url": "https://git.kernel.org/stable/c/2466b0f66795c3c426cacc8998499f38031dbb59"
},
{
"url": "https://git.kernel.org/stable/c/1f0304dfd9d217c2f8b04a9ef4b3258a66eedd27"
}
],
"title": "xenbus: Use kref to track req lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37949",
"datePublished": "2025-05-20T16:01:45.242Z",
"dateReserved": "2025-04-16T04:51:23.972Z",
"dateUpdated": "2026-05-11T21:18:13.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37951 (GCVE-0-2025-37951)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
drm/v3d: Add job to pending list if the reset was skipped
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Add job to pending list if the reset was skipped
When a CL/CSD job times out, we check if the GPU has made any progress
since the last timeout. If so, instead of resetting the hardware, we skip
the reset and let the timer get rearmed. This gives long-running jobs a
chance to complete.
However, when `timedout_job()` is called, the job in question is removed
from the pending list, which means it won't be automatically freed through
`free_job()`. Consequently, when we skip the reset and keep the job
running, the job won't be freed when it finally completes.
This situation leads to a memory leak, as exposed in [1] and [2].
Similarly to commit 704d3d60fec4 ("drm/etnaviv: don't block scheduler when
GPU is still active"), this patch ensures the job is put back on the
pending list when extending the timeout.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
57692c94dcbe99a1e0444409a3da13fb3443562c , < 5235b56b7e5449d990d21d78723b1a5e7bb5738e
(git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 12125f7d9c15e6d8ac91d10373b2db2f17dcf767 (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < a5f162727b91e480656da1876247a91f651f76de (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 422a8b10ba42097a704d6909ada2956f880246f2 (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 35e4079bf1a2570abffce6ababa631afcf8ea0e5 (git) |
|
| Linux | Linux |
Affected:
4.18
Unaffected: 0 , < 4.18 (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:41.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5235b56b7e5449d990d21d78723b1a5e7bb5738e",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "12125f7d9c15e6d8ac91d10373b2db2f17dcf767",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "a5f162727b91e480656da1876247a91f651f76de",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "422a8b10ba42097a704d6909ada2956f880246f2",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "35e4079bf1a2570abffce6ababa631afcf8ea0e5",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Add job to pending list if the reset was skipped\n\nWhen a CL/CSD job times out, we check if the GPU has made any progress\nsince the last timeout. If so, instead of resetting the hardware, we skip\nthe reset and let the timer get rearmed. This gives long-running jobs a\nchance to complete.\n\nHowever, when `timedout_job()` is called, the job in question is removed\nfrom the pending list, which means it won\u0027t be automatically freed through\n`free_job()`. Consequently, when we skip the reset and keep the job\nrunning, the job won\u0027t be freed when it finally completes.\n\nThis situation leads to a memory leak, as exposed in [1] and [2].\n\nSimilarly to commit 704d3d60fec4 (\"drm/etnaviv: don\u0027t block scheduler when\nGPU is still active\"), this patch ensures the job is put back on the\npending list when extending the timeout."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:15.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5235b56b7e5449d990d21d78723b1a5e7bb5738e"
},
{
"url": "https://git.kernel.org/stable/c/12125f7d9c15e6d8ac91d10373b2db2f17dcf767"
},
{
"url": "https://git.kernel.org/stable/c/a5f162727b91e480656da1876247a91f651f76de"
},
{
"url": "https://git.kernel.org/stable/c/422a8b10ba42097a704d6909ada2956f880246f2"
},
{
"url": "https://git.kernel.org/stable/c/35e4079bf1a2570abffce6ababa631afcf8ea0e5"
}
],
"title": "drm/v3d: Add job to pending list if the reset was skipped",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37951",
"datePublished": "2025-05-20T16:01:46.555Z",
"dateReserved": "2025-04-16T04:51:23.973Z",
"dateUpdated": "2026-05-11T21:18:15.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37953 (GCVE-0-2025-37953)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
sch_htb: make htb_deactivate() idempotent
Summary
In the Linux kernel, the following vulnerability has been resolved:
sch_htb: make htb_deactivate() idempotent
Alan reported a NULL pointer dereference in htb_next_rb_node()
after we made htb_qlen_notify() idempotent.
It turns out in the following case it introduced some regression:
htb_dequeue_tree():
|-> fq_codel_dequeue()
|-> qdisc_tree_reduce_backlog()
|-> htb_qlen_notify()
|-> htb_deactivate()
|-> htb_next_rb_node()
|-> htb_deactivate()
For htb_next_rb_node(), after calling the 1st htb_deactivate(), the
clprio[prio]->ptr could be already set to NULL, which means
htb_next_rb_node() is vulnerable here.
For htb_deactivate(), although we checked qlen before calling it, in
case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again
which triggers the warning inside.
To fix the issues here, we need to:
1) Make htb_deactivate() idempotent, that is, simply return if we
already call it before.
2) Make htb_next_rb_node() safe against ptr==NULL.
Many thanks to Alan for testing and for the reproducer.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1 , < 99ff8a20fd61315bf9ae627440a5ff07d22ee153
(git)
Affected: 32ae12ce6a9f6bace186ca7335220ff59b6cc3cd , < a9945f7cf1709adc5d2d31cb6cfc85627ce299a8 (git) Affected: 967955c9e57f8eebfccc298037d4aaf3d42bc1c9 , < c2d25fddd867ce20a266806634eeeb5c30cb520c (git) Affected: 73cf6af13153d62f9b76eff422eea79dbc70f15e , < c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0 (git) Affected: bbbf5e0f87078b715e7a665d662a2c0e77f044ae , < 31ff70ad39485698cf779f2078132d80b57f6c07 (git) Affected: 0a188c0e197383683fd093ab1ea6ce9a5869a6ea , < 98cd7ed92753090a714f0802d4434314526fe61d (git) Affected: a61f1b5921761fbaf166231418bc1db301e5bf59 , < c4792b9e38d2f61b07eac72f10909fa76130314b (git) Affected: 5ba8b837b522d7051ef81bacf3d95383ff8edce5 , < 3769478610135e82b262640252d90f6efb05be71 (git) |
|
| Linux | Linux |
Affected:
6.1.138 , < 6.1.139
(semver)
Affected: 6.6.90 , < 6.6.91 (semver) Affected: 6.12.28 , < 6.12.29 (semver) Affected: 6.14.6 , < 6.14.7 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:42.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_htb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99ff8a20fd61315bf9ae627440a5ff07d22ee153",
"status": "affected",
"version": "e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1",
"versionType": "git"
},
{
"lessThan": "a9945f7cf1709adc5d2d31cb6cfc85627ce299a8",
"status": "affected",
"version": "32ae12ce6a9f6bace186ca7335220ff59b6cc3cd",
"versionType": "git"
},
{
"lessThan": "c2d25fddd867ce20a266806634eeeb5c30cb520c",
"status": "affected",
"version": "967955c9e57f8eebfccc298037d4aaf3d42bc1c9",
"versionType": "git"
},
{
"lessThan": "c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0",
"status": "affected",
"version": "73cf6af13153d62f9b76eff422eea79dbc70f15e",
"versionType": "git"
},
{
"lessThan": "31ff70ad39485698cf779f2078132d80b57f6c07",
"status": "affected",
"version": "bbbf5e0f87078b715e7a665d662a2c0e77f044ae",
"versionType": "git"
},
{
"lessThan": "98cd7ed92753090a714f0802d4434314526fe61d",
"status": "affected",
"version": "0a188c0e197383683fd093ab1ea6ce9a5869a6ea",
"versionType": "git"
},
{
"lessThan": "c4792b9e38d2f61b07eac72f10909fa76130314b",
"status": "affected",
"version": "a61f1b5921761fbaf166231418bc1db301e5bf59",
"versionType": "git"
},
{
"lessThan": "3769478610135e82b262640252d90f6efb05be71",
"status": "affected",
"version": "5ba8b837b522d7051ef81bacf3d95383ff8edce5",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_htb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.139",
"status": "affected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThan": "6.6.91",
"status": "affected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThan": "6.12.29",
"status": "affected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThan": "6.14.7",
"status": "affected",
"version": "6.14.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "6.1.138",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "6.6.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "6.12.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "6.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_deactivate() idempotent\n\nAlan reported a NULL pointer dereference in htb_next_rb_node()\nafter we made htb_qlen_notify() idempotent.\n\nIt turns out in the following case it introduced some regression:\n\nhtb_dequeue_tree():\n |-\u003e fq_codel_dequeue()\n |-\u003e qdisc_tree_reduce_backlog()\n |-\u003e htb_qlen_notify()\n |-\u003e htb_deactivate()\n |-\u003e htb_next_rb_node()\n |-\u003e htb_deactivate()\n\nFor htb_next_rb_node(), after calling the 1st htb_deactivate(), the\nclprio[prio]-\u003eptr could be already set to NULL, which means\nhtb_next_rb_node() is vulnerable here.\n\nFor htb_deactivate(), although we checked qlen before calling it, in\ncase of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again\nwhich triggers the warning inside.\n\nTo fix the issues here, we need to:\n\n1) Make htb_deactivate() idempotent, that is, simply return if we\n already call it before.\n2) Make htb_next_rb_node() safe against ptr==NULL.\n\nMany thanks to Alan for testing and for the reproducer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:17.815Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153"
},
{
"url": "https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8"
},
{
"url": "https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c"
},
{
"url": "https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0"
},
{
"url": "https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07"
},
{
"url": "https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d"
},
{
"url": "https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b"
},
{
"url": "https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71"
}
],
"title": "sch_htb: make htb_deactivate() idempotent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37953",
"datePublished": "2025-05-20T16:01:47.818Z",
"dateReserved": "2025-04-16T04:51:23.973Z",
"dateUpdated": "2026-05-11T21:18:17.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37959 (GCVE-0-2025-37959)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
bpf: Scrub packet on bpf_redirect_peer
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Scrub packet on bpf_redirect_peer
When bpf_redirect_peer is used to redirect packets to a device in
another network namespace, the skb isn't scrubbed. That can lead skb
information from one namespace to be "misused" in another namespace.
As one example, this is causing Cilium to drop traffic when using
bpf_redirect_peer to redirect packets that just went through IPsec
decryption to a container namespace. The following pwru trace shows (1)
the packet path from the host's XFRM layer to the container's XFRM
layer where it's dropped and (2) the number of active skb extensions at
each function.
NETNS MARK IFACE TUPLE FUNC
4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm_rcv_cb
.active_extensions = (__u8)2,
4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 xfrm4_rcv_cb
.active_extensions = (__u8)2,
4026533547 d00 eth0 10.244.3.124:35473->10.244.2.158:53 gro_cells_receive
.active_extensions = (__u8)2,
[...]
4026533547 0 eth0 10.244.3.124:35473->10.244.2.158:53 skb_do_redirect
.active_extensions = (__u8)2,
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv
.active_extensions = (__u8)2,
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 ip_rcv_core
.active_extensions = (__u8)2,
[...]
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 udp_queue_rcv_one_skb
.active_extensions = (__u8)2,
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_policy_check
.active_extensions = (__u8)2,
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 __xfrm_decode_session
.active_extensions = (__u8)2,
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 security_xfrm_decode_session
.active_extensions = (__u8)2,
4026534999 0 eth0 10.244.3.124:35473->10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)
.active_extensions = (__u8)2,
In this case, there are no XFRM policies in the container's network
namespace so the drop is unexpected. When we decrypt the IPsec packet,
the XFRM state used for decryption is set in the skb extensions. This
information is preserved across the netns switch. When we reach the
XFRM policy check in the container's netns, __xfrm_policy_check drops
the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM
policy can't be found that matches the (host-side) XFRM state used for
decryption.
This patch fixes this by scrubbing the packet when using
bpf_redirect_peer, as is done on typical netns switches via veth
devices except skb->mark and skb->tstamp are not zeroed.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 , < de1067cc8cf0e8c11ae20cbe5c467aef19d04ded
(git)
Affected: 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 , < 355b0526336c0bf2bf7feaca033568ede524f763 (git) Affected: 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 , < b37e54259cab4f78b53953d6f6268b85f07bef3e (git) Affected: 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 , < 9e15ef33ba39fb6d9d1f51445957f16983a9437a (git) Affected: 9aa1206e8f48222f35a0c809f33b2f4aaa1e2661 , < c4327229948879814229b46aa26a750718888503 (git) |
|
| Linux | Linux |
Affected:
5.10
Unaffected: 0 , < 5.10 (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:44.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de1067cc8cf0e8c11ae20cbe5c467aef19d04ded",
"status": "affected",
"version": "9aa1206e8f48222f35a0c809f33b2f4aaa1e2661",
"versionType": "git"
},
{
"lessThan": "355b0526336c0bf2bf7feaca033568ede524f763",
"status": "affected",
"version": "9aa1206e8f48222f35a0c809f33b2f4aaa1e2661",
"versionType": "git"
},
{
"lessThan": "b37e54259cab4f78b53953d6f6268b85f07bef3e",
"status": "affected",
"version": "9aa1206e8f48222f35a0c809f33b2f4aaa1e2661",
"versionType": "git"
},
{
"lessThan": "9e15ef33ba39fb6d9d1f51445957f16983a9437a",
"status": "affected",
"version": "9aa1206e8f48222f35a0c809f33b2f4aaa1e2661",
"versionType": "git"
},
{
"lessThan": "c4327229948879814229b46aa26a750718888503",
"status": "affected",
"version": "9aa1206e8f48222f35a0c809f33b2f4aaa1e2661",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Scrub packet on bpf_redirect_peer\n\nWhen bpf_redirect_peer is used to redirect packets to a device in\nanother network namespace, the skb isn\u0027t scrubbed. That can lead skb\ninformation from one namespace to be \"misused\" in another namespace.\n\nAs one example, this is causing Cilium to drop traffic when using\nbpf_redirect_peer to redirect packets that just went through IPsec\ndecryption to a container namespace. The following pwru trace shows (1)\nthe packet path from the host\u0027s XFRM layer to the container\u0027s XFRM\nlayer where it\u0027s dropped and (2) the number of active skb extensions at\neach function.\n\n NETNS MARK IFACE TUPLE FUNC\n 4026533547 d00 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 xfrm_rcv_cb\n .active_extensions = (__u8)2,\n 4026533547 d00 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 xfrm4_rcv_cb\n .active_extensions = (__u8)2,\n 4026533547 d00 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 gro_cells_receive\n .active_extensions = (__u8)2,\n [...]\n 4026533547 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 skb_do_redirect\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 ip_rcv\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 ip_rcv_core\n .active_extensions = (__u8)2,\n [...]\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 udp_queue_rcv_one_skb\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 __xfrm_policy_check\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 __xfrm_decode_session\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 security_xfrm_decode_session\n .active_extensions = (__u8)2,\n 4026534999 0 eth0 10.244.3.124:35473-\u003e10.244.2.158:53 kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)\n .active_extensions = (__u8)2,\n\nIn this case, there are no XFRM policies in the container\u0027s network\nnamespace so the drop is unexpected. When we decrypt the IPsec packet,\nthe XFRM state used for decryption is set in the skb extensions. This\ninformation is preserved across the netns switch. When we reach the\nXFRM policy check in the container\u0027s netns, __xfrm_policy_check drops\nthe packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM\npolicy can\u0027t be found that matches the (host-side) XFRM state used for\ndecryption.\n\nThis patch fixes this by scrubbing the packet when using\nbpf_redirect_peer, as is done on typical netns switches via veth\ndevices except skb-\u003emark and skb-\u003etstamp are not zeroed."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:24.762Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de1067cc8cf0e8c11ae20cbe5c467aef19d04ded"
},
{
"url": "https://git.kernel.org/stable/c/355b0526336c0bf2bf7feaca033568ede524f763"
},
{
"url": "https://git.kernel.org/stable/c/b37e54259cab4f78b53953d6f6268b85f07bef3e"
},
{
"url": "https://git.kernel.org/stable/c/9e15ef33ba39fb6d9d1f51445957f16983a9437a"
},
{
"url": "https://git.kernel.org/stable/c/c4327229948879814229b46aa26a750718888503"
}
],
"title": "bpf: Scrub packet on bpf_redirect_peer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37959",
"datePublished": "2025-05-20T16:01:52.547Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-11T21:18:24.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37961 (GCVE-0-2025-37961)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-23 15:58
VLAI
EPSS
Title
ipvs: fix uninit-value for saddr in do_output_route4
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix uninit-value for saddr in do_output_route4
syzbot reports for uninit-value for the saddr argument [1].
commit 4754957f04f5 ("ipvs: do not use random local source address for
tunnels") already implies that the input value of saddr
should be ignored but the code is still reading it which can prevent
to connect the route. Fix it by changing the argument to ret_saddr.
[1]
BUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147
do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147
__ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330
ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136
ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
__ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118
ip_local_out net/ipv4/ip_output.c:127 [inline]
ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501
udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195
udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483
inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x267/0x380 net/socket.c:727
____sys_sendmsg+0x91b/0xda0 net/socket.c:2566
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620
__sys_sendmmsg+0x41d/0x880 net/socket.c:2702
__compat_sys_sendmmsg net/compat.c:360 [inline]
__do_compat_sys_sendmmsg net/compat.c:367 [inline]
__se_compat_sys_sendmmsg net/compat.c:364 [inline]
__ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364
ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4167 [inline]
slab_alloc_node mm/slub.c:4210 [inline]
__kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367
kmalloc_noprof include/linux/slab.h:905 [inline]
ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline]
__ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323
ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136
ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
__ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118
ip_local_out net/ipv4/ip_output.c:127 [inline]
ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501
udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195
udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483
inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x267/0x380 net/socket.c:727
____sys_sendmsg+0x91b/0xda0 net/socket.c:2566
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620
__sys_sendmmsg+0x41d/0x880 net/socket.c:2702
__compat_sys_sendmmsg net/compat.c:360 [inline]
__do_compat_sys_sendmmsg net/compat.c:367 [inline]
__se_compat_sys_sendmmsg net/compat.c:364 [inline]
__ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364
ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
CPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)
Hardware name: Google Google Compute Engi
---truncated---
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4754957f04f5f368792a0eb7dab0ae89fb93dcfd , < 7d0032112a0380d0b8d7c9005f621928a9b9fc76
(git)
Affected: 4754957f04f5f368792a0eb7dab0ae89fb93dcfd , < adbc8cc1162951cb152ed7f147d5fbd35ce3e62f (git) Affected: 4754957f04f5f368792a0eb7dab0ae89fb93dcfd , < 0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4 (git) Affected: 4754957f04f5f368792a0eb7dab0ae89fb93dcfd , < a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25 (git) Affected: 4754957f04f5f368792a0eb7dab0ae89fb93dcfd , < e34090d7214e0516eb8722aee295cb2507317c07 (git) Affected: 212c45ac20229c1752dd56fa38e9a8d57127974b (git) Affected: 2f0c79dd1e9d55a279b0a8e363717b7a896fe7b4 (git) Affected: cc2b6a186da7580d4557e7175c5ab4b18d9a57f0 (git) Affected: e89e653311ac2c9f37ceb778212ae4dbe1104091 (git) Affected: f1d62fb20245bc89d6ba93d829763450250a592b (git) Affected: 3.10.91 , < 3.11 (semver) Affected: 3.12.50 , < 3.13 (semver) Affected: 3.14.55 , < 3.15 (semver) Affected: 3.18.23 , < 3.19 (semver) Affected: 4.1.11 , < 4.2 (semver) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:45.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d0032112a0380d0b8d7c9005f621928a9b9fc76",
"status": "affected",
"version": "4754957f04f5f368792a0eb7dab0ae89fb93dcfd",
"versionType": "git"
},
{
"lessThan": "adbc8cc1162951cb152ed7f147d5fbd35ce3e62f",
"status": "affected",
"version": "4754957f04f5f368792a0eb7dab0ae89fb93dcfd",
"versionType": "git"
},
{
"lessThan": "0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4",
"status": "affected",
"version": "4754957f04f5f368792a0eb7dab0ae89fb93dcfd",
"versionType": "git"
},
{
"lessThan": "a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25",
"status": "affected",
"version": "4754957f04f5f368792a0eb7dab0ae89fb93dcfd",
"versionType": "git"
},
{
"lessThan": "e34090d7214e0516eb8722aee295cb2507317c07",
"status": "affected",
"version": "4754957f04f5f368792a0eb7dab0ae89fb93dcfd",
"versionType": "git"
},
{
"status": "affected",
"version": "212c45ac20229c1752dd56fa38e9a8d57127974b",
"versionType": "git"
},
{
"status": "affected",
"version": "2f0c79dd1e9d55a279b0a8e363717b7a896fe7b4",
"versionType": "git"
},
{
"status": "affected",
"version": "cc2b6a186da7580d4557e7175c5ab4b18d9a57f0",
"versionType": "git"
},
{
"status": "affected",
"version": "e89e653311ac2c9f37ceb778212ae4dbe1104091",
"versionType": "git"
},
{
"status": "affected",
"version": "f1d62fb20245bc89d6ba93d829763450250a592b",
"versionType": "git"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.91",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.50",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.55",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.23",
"versionType": "semver"
},
{
"lessThan": "4.2",
"status": "affected",
"version": "4.1.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_xmit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix uninit-value for saddr in do_output_route4\n\nsyzbot reports for uninit-value for the saddr argument [1].\ncommit 4754957f04f5 (\"ipvs: do not use random local source address for\ntunnels\") already implies that the input value of saddr\nshould be ignored but the code is still reading it which can prevent\nto connect the route. Fix it by changing the argument to ret_saddr.\n\n[1]\nBUG: KMSAN: uninit-value in do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147\n do_output_route4+0x42c/0x4d0 net/netfilter/ipvs/ip_vs_xmit.c:147\n __ip_vs_get_out_rt+0x403/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:330\n ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136\n ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118\n ip_local_out net/ipv4/ip_output.c:127 [inline]\n ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501\n udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195\n udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483\n inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x267/0x380 net/socket.c:727\n ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620\n __sys_sendmmsg+0x41d/0x880 net/socket.c:2702\n __compat_sys_sendmmsg net/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364\n ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4167 [inline]\n slab_alloc_node mm/slub.c:4210 [inline]\n __kmalloc_cache_noprof+0x8fa/0xe00 mm/slub.c:4367\n kmalloc_noprof include/linux/slab.h:905 [inline]\n ip_vs_dest_dst_alloc net/netfilter/ipvs/ip_vs_xmit.c:61 [inline]\n __ip_vs_get_out_rt+0x35d/0x21d0 net/netfilter/ipvs/ip_vs_xmit.c:323\n ip_vs_tunnel_xmit+0x205/0x2380 net/netfilter/ipvs/ip_vs_xmit.c:1136\n ip_vs_in_hook+0x1aa5/0x35b0 net/netfilter/ipvs/ip_vs_core.c:2063\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf7/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n __ip_local_out+0x758/0x7e0 net/ipv4/ip_output.c:118\n ip_local_out net/ipv4/ip_output.c:127 [inline]\n ip_send_skb+0x6a/0x3c0 net/ipv4/ip_output.c:1501\n udp_send_skb+0xfda/0x1b70 net/ipv4/udp.c:1195\n udp_sendmsg+0x2fe3/0x33c0 net/ipv4/udp.c:1483\n inet_sendmsg+0x1fc/0x280 net/ipv4/af_inet.c:851\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x267/0x380 net/socket.c:727\n ____sys_sendmsg+0x91b/0xda0 net/socket.c:2566\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2620\n __sys_sendmmsg+0x41d/0x880 net/socket.c:2702\n __compat_sys_sendmmsg net/compat.c:360 [inline]\n __do_compat_sys_sendmmsg net/compat.c:367 [inline]\n __se_compat_sys_sendmmsg net/compat.c:364 [inline]\n __ia32_compat_sys_sendmmsg+0xc8/0x140 net/compat.c:364\n ia32_sys_call+0x3ffa/0x41f0 arch/x86/include/generated/asm/syscalls_32.h:346\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/syscall_32.c:306\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nCPU: 0 UID: 0 PID: 22408 Comm: syz.4.5165 Not tainted 6.15.0-rc3-syzkaller-00019-gbc3372351d0c #0 PREEMPT(undef)\nHardware name: Google Google Compute Engi\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:40.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d0032112a0380d0b8d7c9005f621928a9b9fc76"
},
{
"url": "https://git.kernel.org/stable/c/adbc8cc1162951cb152ed7f147d5fbd35ce3e62f"
},
{
"url": "https://git.kernel.org/stable/c/0160ac84fb03a0bd8dce8a42cb25bfaeedd110f4"
},
{
"url": "https://git.kernel.org/stable/c/a3a1b784791a3cbfc6e05c4d8a3c321ac5136e25"
},
{
"url": "https://git.kernel.org/stable/c/e34090d7214e0516eb8722aee295cb2507317c07"
}
],
"title": "ipvs: fix uninit-value for saddr in do_output_route4",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37961",
"datePublished": "2025-05-20T16:01:53.940Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-23T15:58:40.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37962 (GCVE-0-2025-37962)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-23 15:58
VLAI
EPSS
Title
ksmbd: fix memory leak in parse_lease_state()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix memory leak in parse_lease_state()
The previous patch that added bounds check for create lease context
introduced a memory leak. When the bounds check fails, the function
returns NULL without freeing the previously allocated lease_ctx_info
structure.
This patch fixes the issue by adding kfree(lreq) before returning NULL
in both boundary check cases.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
629dd37acc336ad778979361c351e782053ea284 , < facf22c1a394c1e023dab5daf9a494f722771e1c
(git)
Affected: 60b7207893a8a06c78441934931a08fdad63f18e , < af9e2d4732a548db8f6f5a90c2c20a789a3d7240 (git) Affected: 800c482c9ef5910f05e3a713943c67cc6c1d4939 , < 2148d34371b06dac696c0497a98a6bf905a51650 (git) Affected: 9a1b6ea955e6c7b29939a6d98701202f9d9644ec , < 829e19ef741d9e9932abdc3bee5466195e0852cf (git) Affected: bab703ed8472aa9d109c5f8c1863921533363dae , < eb4447bcce915b43b691123118893fca4f372a8f (git) Affected: a41cd52f00907a040ca22c73d4805bb79b0d0972 (git) Affected: 6.13.11 , < 6.14 (semver) |
|
| Linux | Linux |
Affected:
6.1.134 , < 6.1.139
(semver)
Affected: 6.6.87 , < 6.6.91 (semver) Affected: 6.12.23 , < 6.12.29 (semver) Affected: 6.14.2 , < 6.14.7 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:47.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/oplock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "facf22c1a394c1e023dab5daf9a494f722771e1c",
"status": "affected",
"version": "629dd37acc336ad778979361c351e782053ea284",
"versionType": "git"
},
{
"lessThan": "af9e2d4732a548db8f6f5a90c2c20a789a3d7240",
"status": "affected",
"version": "60b7207893a8a06c78441934931a08fdad63f18e",
"versionType": "git"
},
{
"lessThan": "2148d34371b06dac696c0497a98a6bf905a51650",
"status": "affected",
"version": "800c482c9ef5910f05e3a713943c67cc6c1d4939",
"versionType": "git"
},
{
"lessThan": "829e19ef741d9e9932abdc3bee5466195e0852cf",
"status": "affected",
"version": "9a1b6ea955e6c7b29939a6d98701202f9d9644ec",
"versionType": "git"
},
{
"lessThan": "eb4447bcce915b43b691123118893fca4f372a8f",
"status": "affected",
"version": "bab703ed8472aa9d109c5f8c1863921533363dae",
"versionType": "git"
},
{
"status": "affected",
"version": "a41cd52f00907a040ca22c73d4805bb79b0d0972",
"versionType": "git"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/oplock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.139",
"status": "affected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThan": "6.6.91",
"status": "affected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThan": "6.12.29",
"status": "affected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThan": "6.14.7",
"status": "affected",
"version": "6.14.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "6.1.134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "6.6.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "6.12.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "6.14.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix memory leak in parse_lease_state()\n\nThe previous patch that added bounds check for create lease context\nintroduced a memory leak. When the bounds check fails, the function\nreturns NULL without freeing the previously allocated lease_ctx_info\nstructure.\n\nThis patch fixes the issue by adding kfree(lreq) before returning NULL\nin both boundary check cases."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:41.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/facf22c1a394c1e023dab5daf9a494f722771e1c"
},
{
"url": "https://git.kernel.org/stable/c/af9e2d4732a548db8f6f5a90c2c20a789a3d7240"
},
{
"url": "https://git.kernel.org/stable/c/2148d34371b06dac696c0497a98a6bf905a51650"
},
{
"url": "https://git.kernel.org/stable/c/829e19ef741d9e9932abdc3bee5466195e0852cf"
},
{
"url": "https://git.kernel.org/stable/c/eb4447bcce915b43b691123118893fca4f372a8f"
}
],
"title": "ksmbd: fix memory leak in parse_lease_state()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37962",
"datePublished": "2025-05-20T16:01:54.612Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-23T15:58:41.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37963 (GCVE-0-2025-37963)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
Support for eBPF programs loaded by unprivileged users is typically
disabled. This means only cBPF programs need to be mitigated for BHB.
In addition, only mitigate cBPF programs that were loaded by an
unprivileged user. Privileged users can also load the same program
via eBPF, making the mitigation pointless.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 038866e01ea5e5a3d948898ac216e531e7848669
(git)
Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < df53d418709205450a02bb4d71cbfb4ff86f2c1e (git) Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 6e52d043f7dbf1839a24a3fab2b12b0d3839de7a (git) Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 80251f62028f1ab2e09be5ca3123f84e8b00389a (git) Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < e5f5100f1c64ac6c72671b2cf6b46542fce93706 (git) Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < 477481c4348268136227348984b6699d6370b685 (git) Affected: 0be7320a635c2e434e8b67e0e9474a85ceb421c4 , < f300769ead032513a68e4a02e806393402e626f8 (git) |
|
| Linux | Linux |
Affected:
3.7
Unaffected: 0 , < 3.7 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:48.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/net/bpf_jit_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "038866e01ea5e5a3d948898ac216e531e7848669",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
},
{
"lessThan": "df53d418709205450a02bb4d71cbfb4ff86f2c1e",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
},
{
"lessThan": "6e52d043f7dbf1839a24a3fab2b12b0d3839de7a",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
},
{
"lessThan": "80251f62028f1ab2e09be5ca3123f84e8b00389a",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
},
{
"lessThan": "e5f5100f1c64ac6c72671b2cf6b46542fce93706",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
},
{
"lessThan": "477481c4348268136227348984b6699d6370b685",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
},
{
"lessThan": "f300769ead032513a68e4a02e806393402e626f8",
"status": "affected",
"version": "0be7320a635c2e434e8b67e0e9474a85ceb421c4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/net/bpf_jit_comp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: bpf: Only mitigate cBPF programs loaded by unprivileged users\n\nSupport for eBPF programs loaded by unprivileged users is typically\ndisabled. This means only cBPF programs need to be mitigated for BHB.\n\nIn addition, only mitigate cBPF programs that were loaded by an\nunprivileged user. Privileged users can also load the same program\nvia eBPF, making the mitigation pointless."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:37.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/038866e01ea5e5a3d948898ac216e531e7848669"
},
{
"url": "https://git.kernel.org/stable/c/df53d418709205450a02bb4d71cbfb4ff86f2c1e"
},
{
"url": "https://git.kernel.org/stable/c/6e52d043f7dbf1839a24a3fab2b12b0d3839de7a"
},
{
"url": "https://git.kernel.org/stable/c/80251f62028f1ab2e09be5ca3123f84e8b00389a"
},
{
"url": "https://git.kernel.org/stable/c/e5f5100f1c64ac6c72671b2cf6b46542fce93706"
},
{
"url": "https://git.kernel.org/stable/c/477481c4348268136227348984b6699d6370b685"
},
{
"url": "https://git.kernel.org/stable/c/f300769ead032513a68e4a02e806393402e626f8"
}
],
"title": "arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37963",
"datePublished": "2025-05-20T16:01:55.322Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-11T21:18:37.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37964 (GCVE-0-2025-37964)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-23 15:58
VLAI
EPSS
Title
x86/mm: Eliminate window where TLB flushes may be inadvertently skipped
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm: Eliminate window where TLB flushes may be inadvertently skipped
tl;dr: There is a window in the mm switching code where the new CR3 is
set and the CPU should be getting TLB flushes for the new mm. But
should_flush_tlb() has a bug and suppresses the flush. Fix it by
widening the window where should_flush_tlb() sends an IPI.
Long Version:
=== History ===
There were a few things leading up to this.
First, updating mm_cpumask() was observed to be too expensive, so it was
made lazier. But being lazy caused too many unnecessary IPIs to CPUs
due to the now-lazy mm_cpumask(). So code was added to cull
mm_cpumask() periodically[2]. But that culling was a bit too aggressive
and skipped sending TLB flushes to CPUs that need them. So here we are
again.
=== Problem ===
The too-aggressive code in should_flush_tlb() strikes in this window:
// Turn on IPIs for this CPU/mm combination, but only
// if should_flush_tlb() agrees:
cpumask_set_cpu(cpu, mm_cpumask(next));
next_tlb_gen = atomic64_read(&next->context.tlb_gen);
choose_new_asid(next, next_tlb_gen, &new_asid, &need_flush);
load_new_mm_cr3(need_flush);
// ^ After 'need_flush' is set to false, IPIs *MUST*
// be sent to this CPU and not be ignored.
this_cpu_write(cpu_tlbstate.loaded_mm, next);
// ^ Not until this point does should_flush_tlb()
// become true!
should_flush_tlb() will suppress TLB flushes between load_new_mm_cr3()
and writing to 'loaded_mm', which is a window where they should not be
suppressed. Whoops.
=== Solution ===
Thankfully, the fuzzy "just about to write CR3" window is already marked
with loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in
should_flush_tlb() is sufficient to ensure that the CPU is targeted with
an IPI.
This will cause more TLB flush IPIs. But the window is relatively small
and I do not expect this to cause any kind of measurable performance
impact.
Update the comment where LOADED_MM_SWITCHING is written since it grew
yet another user.
Peter Z also raised a concern that should_flush_tlb() might not observe
'loaded_mm' and 'is_lazy' in the same order that switch_mm_irqs_off()
writes them. Add a barrier to ensure that they are observed in the
order they are written.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
848b5815177582de0e1d0118725378e0fbadca20 , < 12f703811af043d32b1c8a30001b2fa04d5cd0ac
(git)
Affected: b47002ed65ade940839b7f439ff4a194e7d5ec28 , < 02ad4ce144bd27f71f583f667fdf3b3ba0753477 (git) Affected: a04fe3bfc71e28009e20357b79df1e8ef7c9d600 , < d41072906abec8bb8e01ed16afefbaa558908c89 (git) Affected: 3dbe889a1b829b4c07e0836ff853fe649e51ce4f , < d87392094f96e162fa5fa5a8640d70cc0952806f (git) Affected: 6db2526c1d694c91c6e05e2f186c085e9460f202 , < 399ec9ca8fc4999e676ff89a90184ec40031cf59 (git) Affected: 6db2526c1d694c91c6e05e2f186c085e9460f202 , < fea4e317f9e7e1f449ce90dedc27a2d2a95bee5a (git) Affected: d1347977661342cb09a304a17701eb2d4aa21dec (git) Affected: 5.15.179 , < 5.15.183 (semver) Affected: 6.1.129 , < 6.1.139 (semver) Affected: 6.6.79 , < 6.6.91 (semver) Affected: 6.12.16 , < 6.12.29 (semver) Affected: 6.13.4 , < 6.14 (semver) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 5.15.183 , ≤ 5.15.* (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:49.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/mm/tlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "12f703811af043d32b1c8a30001b2fa04d5cd0ac",
"status": "affected",
"version": "848b5815177582de0e1d0118725378e0fbadca20",
"versionType": "git"
},
{
"lessThan": "02ad4ce144bd27f71f583f667fdf3b3ba0753477",
"status": "affected",
"version": "b47002ed65ade940839b7f439ff4a194e7d5ec28",
"versionType": "git"
},
{
"lessThan": "d41072906abec8bb8e01ed16afefbaa558908c89",
"status": "affected",
"version": "a04fe3bfc71e28009e20357b79df1e8ef7c9d600",
"versionType": "git"
},
{
"lessThan": "d87392094f96e162fa5fa5a8640d70cc0952806f",
"status": "affected",
"version": "3dbe889a1b829b4c07e0836ff853fe649e51ce4f",
"versionType": "git"
},
{
"lessThan": "399ec9ca8fc4999e676ff89a90184ec40031cf59",
"status": "affected",
"version": "6db2526c1d694c91c6e05e2f186c085e9460f202",
"versionType": "git"
},
{
"lessThan": "fea4e317f9e7e1f449ce90dedc27a2d2a95bee5a",
"status": "affected",
"version": "6db2526c1d694c91c6e05e2f186c085e9460f202",
"versionType": "git"
},
{
"status": "affected",
"version": "d1347977661342cb09a304a17701eb2d4aa21dec",
"versionType": "git"
},
{
"lessThan": "5.15.183",
"status": "affected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThan": "6.1.139",
"status": "affected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThan": "6.6.91",
"status": "affected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThan": "6.12.29",
"status": "affected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/mm/tlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.183",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.183",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "6.6.79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "6.12.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Eliminate window where TLB flushes may be inadvertently skipped\n\ntl;dr: There is a window in the mm switching code where the new CR3 is\nset and the CPU should be getting TLB flushes for the new mm. But\nshould_flush_tlb() has a bug and suppresses the flush. Fix it by\nwidening the window where should_flush_tlb() sends an IPI.\n\nLong Version:\n\n=== History ===\n\nThere were a few things leading up to this.\n\nFirst, updating mm_cpumask() was observed to be too expensive, so it was\nmade lazier. But being lazy caused too many unnecessary IPIs to CPUs\ndue to the now-lazy mm_cpumask(). So code was added to cull\nmm_cpumask() periodically[2]. But that culling was a bit too aggressive\nand skipped sending TLB flushes to CPUs that need them. So here we are\nagain.\n\n=== Problem ===\n\nThe too-aggressive code in should_flush_tlb() strikes in this window:\n\n\t// Turn on IPIs for this CPU/mm combination, but only\n\t// if should_flush_tlb() agrees:\n\tcpumask_set_cpu(cpu, mm_cpumask(next));\n\n\tnext_tlb_gen = atomic64_read(\u0026next-\u003econtext.tlb_gen);\n\tchoose_new_asid(next, next_tlb_gen, \u0026new_asid, \u0026need_flush);\n\tload_new_mm_cr3(need_flush);\n\t// ^ After \u0027need_flush\u0027 is set to false, IPIs *MUST*\n\t// be sent to this CPU and not be ignored.\n\n this_cpu_write(cpu_tlbstate.loaded_mm, next);\n\t// ^ Not until this point does should_flush_tlb()\n\t// become true!\n\nshould_flush_tlb() will suppress TLB flushes between load_new_mm_cr3()\nand writing to \u0027loaded_mm\u0027, which is a window where they should not be\nsuppressed. Whoops.\n\n=== Solution ===\n\nThankfully, the fuzzy \"just about to write CR3\" window is already marked\nwith loaded_mm==LOADED_MM_SWITCHING. Simply checking for that state in\nshould_flush_tlb() is sufficient to ensure that the CPU is targeted with\nan IPI.\n\nThis will cause more TLB flush IPIs. But the window is relatively small\nand I do not expect this to cause any kind of measurable performance\nimpact.\n\nUpdate the comment where LOADED_MM_SWITCHING is written since it grew\nyet another user.\n\nPeter Z also raised a concern that should_flush_tlb() might not observe\n\u0027loaded_mm\u0027 and \u0027is_lazy\u0027 in the same order that switch_mm_irqs_off()\nwrites them. Add a barrier to ensure that they are observed in the\norder they are written."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:42.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/12f703811af043d32b1c8a30001b2fa04d5cd0ac"
},
{
"url": "https://git.kernel.org/stable/c/02ad4ce144bd27f71f583f667fdf3b3ba0753477"
},
{
"url": "https://git.kernel.org/stable/c/d41072906abec8bb8e01ed16afefbaa558908c89"
},
{
"url": "https://git.kernel.org/stable/c/d87392094f96e162fa5fa5a8640d70cc0952806f"
},
{
"url": "https://git.kernel.org/stable/c/399ec9ca8fc4999e676ff89a90184ec40031cf59"
},
{
"url": "https://git.kernel.org/stable/c/fea4e317f9e7e1f449ce90dedc27a2d2a95bee5a"
}
],
"title": "x86/mm: Eliminate window where TLB flushes may be inadvertently skipped",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37964",
"datePublished": "2025-05-20T16:01:56.013Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-23T15:58:42.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37967 (GCVE-0-2025-37967)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:47 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
usb: typec: ucsi: displayport: Fix deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: displayport: Fix deadlock
This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock
functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector
mutex is only locked if a connection is established and the partner pointer
is valid. This resolves a deadlock scenario where
ucsi_displayport_remove_partner holds con->mutex waiting for
dp_altmode_work to complete while dp_altmode_work attempts to acquire it.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
af8622f6a585d8d82b11cd7987e082861fd0edd3 , < f4bd982563c2fd41ec9ca6c517c392d759db801c
(git)
Affected: af8622f6a585d8d82b11cd7987e082861fd0edd3 , < f32451ca4cb7dc53f2a0e2e66b84d34162747eb7 (git) Affected: af8622f6a585d8d82b11cd7987e082861fd0edd3 , < 962ce9028ca6eb450d5c205238a3ee27de9d214d (git) Affected: af8622f6a585d8d82b11cd7987e082861fd0edd3 , < 5924b324468845fc795bd76f588f51d7ab4f202d (git) Affected: af8622f6a585d8d82b11cd7987e082861fd0edd3 , < 61fc1a8e1e10cc784cab5829930838aaf1d37af5 (git) Affected: af8622f6a585d8d82b11cd7987e082861fd0edd3 , < 364618c89d4c57c85e5fc51a2446cd939bf57802 (git) |
|
| Linux | Linux |
Affected:
5.2
Unaffected: 0 , < 5.2 (semver) Unaffected: 5.15.184 , ≤ 5.15.* (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.92 , ≤ 6.6.* (semver) Unaffected: 6.12.30 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:51.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/displayport.c",
"drivers/usb/typec/ucsi/ucsi.c",
"drivers/usb/typec/ucsi/ucsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4bd982563c2fd41ec9ca6c517c392d759db801c",
"status": "affected",
"version": "af8622f6a585d8d82b11cd7987e082861fd0edd3",
"versionType": "git"
},
{
"lessThan": "f32451ca4cb7dc53f2a0e2e66b84d34162747eb7",
"status": "affected",
"version": "af8622f6a585d8d82b11cd7987e082861fd0edd3",
"versionType": "git"
},
{
"lessThan": "962ce9028ca6eb450d5c205238a3ee27de9d214d",
"status": "affected",
"version": "af8622f6a585d8d82b11cd7987e082861fd0edd3",
"versionType": "git"
},
{
"lessThan": "5924b324468845fc795bd76f588f51d7ab4f202d",
"status": "affected",
"version": "af8622f6a585d8d82b11cd7987e082861fd0edd3",
"versionType": "git"
},
{
"lessThan": "61fc1a8e1e10cc784cab5829930838aaf1d37af5",
"status": "affected",
"version": "af8622f6a585d8d82b11cd7987e082861fd0edd3",
"versionType": "git"
},
{
"lessThan": "364618c89d4c57c85e5fc51a2446cd939bf57802",
"status": "affected",
"version": "af8622f6a585d8d82b11cd7987e082861fd0edd3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/displayport.c",
"drivers/usb/typec/ucsi/ucsi.c",
"drivers/usb/typec/ucsi/ucsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.184",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.184",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.30",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: displayport: Fix deadlock\n\nThis patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock\nfunctions to the UCSI driver. ucsi_con_mutex_lock ensures the connector\nmutex is only locked if a connection is established and the partner pointer\nis valid. This resolves a deadlock scenario where\nucsi_displayport_remove_partner holds con-\u003emutex waiting for\ndp_altmode_work to complete while dp_altmode_work attempts to acquire it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:42.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4bd982563c2fd41ec9ca6c517c392d759db801c"
},
{
"url": "https://git.kernel.org/stable/c/f32451ca4cb7dc53f2a0e2e66b84d34162747eb7"
},
{
"url": "https://git.kernel.org/stable/c/962ce9028ca6eb450d5c205238a3ee27de9d214d"
},
{
"url": "https://git.kernel.org/stable/c/5924b324468845fc795bd76f588f51d7ab4f202d"
},
{
"url": "https://git.kernel.org/stable/c/61fc1a8e1e10cc784cab5829930838aaf1d37af5"
},
{
"url": "https://git.kernel.org/stable/c/364618c89d4c57c85e5fc51a2446cd939bf57802"
}
],
"title": "usb: typec: ucsi: displayport: Fix deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37967",
"datePublished": "2025-05-20T16:47:15.473Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-11T21:18:42.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37969 (GCVE-0-2025-37969)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:47 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo
Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in
case pattern_len is equal to zero and the device FIFO is not empty.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
801a6e0af0c6cedca2e99155e343ad385a50f08e , < 4db7d923a8c298788181b796f71adf6ca499f966
(git)
Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < 76727a1d81afde77d21ea8feaeb12d34605be6f4 (git) Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < 35b8c0a284983b71d92d082c54b7eb655ed4194f (git) Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < 16857370b3a30663515956b3bd27f3def6a2cf06 (git) Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < 9ce662851380fe2018e36e15c0bdcb1ad177ed95 (git) Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < dadf9116108315f2eb14c7415c7805f392c476b4 (git) Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < 9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7 (git) Affected: 801a6e0af0c6cedca2e99155e343ad385a50f08e , < 8114ef86e2058e2554111b793596f17bee23fa15 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.183 , ≤ 5.15.* (semver) Unaffected: 6.1.139 , ≤ 6.1.* (semver) Unaffected: 6.6.91 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:52.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4db7d923a8c298788181b796f71adf6ca499f966",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "76727a1d81afde77d21ea8feaeb12d34605be6f4",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "35b8c0a284983b71d92d082c54b7eb655ed4194f",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "16857370b3a30663515956b3bd27f3def6a2cf06",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "9ce662851380fe2018e36e15c0bdcb1ad177ed95",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "dadf9116108315f2eb14c7415c7805f392c476b4",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
},
{
"lessThan": "8114ef86e2058e2554111b793596f17bee23fa15",
"status": "affected",
"version": "801a6e0af0c6cedca2e99155e343ad385a50f08e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.183",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.183",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.139",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.91",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo\n\nPrevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in\ncase pattern_len is equal to zero and the device FIFO is not empty."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:44.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4db7d923a8c298788181b796f71adf6ca499f966"
},
{
"url": "https://git.kernel.org/stable/c/76727a1d81afde77d21ea8feaeb12d34605be6f4"
},
{
"url": "https://git.kernel.org/stable/c/35b8c0a284983b71d92d082c54b7eb655ed4194f"
},
{
"url": "https://git.kernel.org/stable/c/16857370b3a30663515956b3bd27f3def6a2cf06"
},
{
"url": "https://git.kernel.org/stable/c/9ce662851380fe2018e36e15c0bdcb1ad177ed95"
},
{
"url": "https://git.kernel.org/stable/c/dadf9116108315f2eb14c7415c7805f392c476b4"
},
{
"url": "https://git.kernel.org/stable/c/9ddb4cf2192c213e4dba1733bbcdc94cf6d85bf7"
},
{
"url": "https://git.kernel.org/stable/c/8114ef86e2058e2554111b793596f17bee23fa15"
}
],
"title": "iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37969",
"datePublished": "2025-05-20T16:47:16.641Z",
"dateReserved": "2025-04-16T04:51:23.975Z",
"dateUpdated": "2026-05-11T21:18:44.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…