Vulnerability-Lookup

CERTFR-2025-AVI-0698

Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian bookworm versions antérieures à 6.1.147-1
	Debian	Debian	Debian trixie versions antérieures à 6.12.41-1

References

Title

Publication Time

CVE-2025-38198 (GCVE-0-2025-38198)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-12 12:04

Title

fbcon: Make sure modelist not set on unregistered console

Summary

In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 dev_attr_store+0x55/0x80 drivers/base/core.c:2439 static struct fb_info *fbcon_registered_fb[FB_MAX]; ... static signed char con2fb_map[MAX_NR_CONSOLES]; ... static struct fb_info *fbcon_info_from_console(int console) ... return fbcon_registered_fb[con2fb_map[console]]; If con2fb_map contains a -1 things go wrong here. Instead, return NULL, as callers of fbcon_info_from_console() are trying to compare against existing "info" pointers, so error handling should kick in correctly.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/b3237d451bf3a4490…
https://git.kernel.org/stable/c/519ba75728ee8cd56…
https://git.kernel.org/stable/c/f28f1f578cd810779…
https://git.kernel.org/stable/c/54b28f7c567dd659e…
https://git.kernel.org/stable/c/cedc1b63394a866bf…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: 409d6c95f9c68bb7046410a3502e26e454a1e636 , < b3237d451bf3a4490cb1a76f3b7c91d9888f1c4b (git) Affected: 409d6c95f9c68bb7046410a3502e26e454a1e636 , < 519ba75728ee8cd561dce25fc52a2ec5c47171dc (git) Affected: 409d6c95f9c68bb7046410a3502e26e454a1e636 , < f28f1f578cd810779d01999c60618cda14c281dd (git) Affected: 409d6c95f9c68bb7046410a3502e26e454a1e636 , < 54b28f7c567dd659e5f9562f518e4d7f3f6a367b (git) Affected: 409d6c95f9c68bb7046410a3502e26e454a1e636 , < cedc1b63394a866bf8663a3e40f4546f1d28c8d8 (git)
Linux	Linux	Affected: 5.19 Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:21.947Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:35.930Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3237d451bf3a4490cb1a76f3b7c91d9888f1c4b",
              "status": "affected",
              "version": "409d6c95f9c68bb7046410a3502e26e454a1e636",
              "versionType": "git"
            },
            {
              "lessThan": "519ba75728ee8cd561dce25fc52a2ec5c47171dc",
              "status": "affected",
              "version": "409d6c95f9c68bb7046410a3502e26e454a1e636",
              "versionType": "git"
            },
            {
              "lessThan": "f28f1f578cd810779d01999c60618cda14c281dd",
              "status": "affected",
              "version": "409d6c95f9c68bb7046410a3502e26e454a1e636",
              "versionType": "git"
            },
            {
              "lessThan": "54b28f7c567dd659e5f9562f518e4d7f3f6a367b",
              "status": "affected",
              "version": "409d6c95f9c68bb7046410a3502e26e454a1e636",
              "versionType": "git"
            },
            {
              "lessThan": "cedc1b63394a866bf8663a3e40f4546f1d28c8d8",
              "status": "affected",
              "version": "409d6c95f9c68bb7046410a3502e26e454a1e636",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Make sure modelist not set on unregistered console\n\nIt looks like attempting to write to the \"store_modes\" sysfs node will\nrun afoul of unregistered consoles:\n\nUBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28\nindex -1 is out of range for type \u0027fb_info *[32]\u0027\n...\n fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122\n fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048\n fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673\n store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113\n dev_attr_store+0x55/0x80 drivers/base/core.c:2439\n\nstatic struct fb_info *fbcon_registered_fb[FB_MAX];\n...\nstatic signed char con2fb_map[MAX_NR_CONSOLES];\n...\nstatic struct fb_info *fbcon_info_from_console(int console)\n...\n        return fbcon_registered_fb[con2fb_map[console]];\n\nIf con2fb_map contains a -1 things go wrong here. Instead, return NULL,\nas callers of fbcon_info_from_console() are trying to compare against\nexisting \"info\" pointers, so error handling should kick in correctly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:09.013Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3237d451bf3a4490cb1a76f3b7c91d9888f1c4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/519ba75728ee8cd561dce25fc52a2ec5c47171dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f28f1f578cd810779d01999c60618cda14c281dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/54b28f7c567dd659e5f9562f518e4d7f3f6a367b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cedc1b63394a866bf8663a3e40f4546f1d28c8d8"
        }
      ],
      "title": "fbcon: Make sure modelist not set on unregistered console",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38198",
    "datePublished": "2025-07-04T13:37:20.588Z",
    "dateReserved": "2025-04-16T04:51:23.993Z",
    "dateUpdated": "2026-05-12T12:04:35.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38200 (GCVE-0-2025-38200)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

Summary

In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/872607632c658d373…
https://git.kernel.org/stable/c/5e75c9082987479e6…
https://git.kernel.org/stable/c/fecb2fc3fc10c9572…
https://git.kernel.org/stable/c/d88a1e8f024ba26e1…
https://git.kernel.org/stable/c/8cde755f56163281e…
https://git.kernel.org/stable/c/3502dd42f178dae9d…
https://git.kernel.org/stable/c/2a1f4f2e36442a9bd…
https://git.kernel.org/stable/c/015bac5daca978448…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 872607632c658d3739e4e7889e4f3c419ae2c193 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 5e75c9082987479e647c75ec8fdf18fa68263c42 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < fecb2fc3fc10c95724407cc45ea35af4a65cdde2 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < d88a1e8f024ba26e19350958fecbf771a9960352 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 8cde755f56163281ec2c46b4ae8b61f532758a6f (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 3502dd42f178dae9d54696013386bb52b4f2e655 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 015bac5daca978448f2671478c553ce1f300c21e (git)
Linux	Linux	Affected: 3.12 Unaffected: 0 , < 3.12 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:23.815Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/i40e/i40e_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "872607632c658d3739e4e7889e4f3c419ae2c193",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "5e75c9082987479e647c75ec8fdf18fa68263c42",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "fecb2fc3fc10c95724407cc45ea35af4a65cdde2",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "d88a1e8f024ba26e19350958fecbf771a9960352",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "8cde755f56163281ec2c46b4ae8b61f532758a6f",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "3502dd42f178dae9d54696013386bb52b4f2e655",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            },
            {
              "lessThan": "015bac5daca978448f2671478c553ce1f300c21e",
              "status": "affected",
              "version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/i40e/i40e_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.12"
            },
            {
              "lessThan": "3.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix MMIO write access to an invalid page in i40e_clear_hw\n\nWhen the device sends a specific input, an integer underflow can occur, leading\nto MMIO write access to an invalid page.\n\nPrevent the integer underflow by changing the type of related variables."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:11.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/872607632c658d3739e4e7889e4f3c419ae2c193"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e75c9082987479e647c75ec8fdf18fa68263c42"
        },
        {
          "url": "https://git.kernel.org/stable/c/fecb2fc3fc10c95724407cc45ea35af4a65cdde2"
        },
        {
          "url": "https://git.kernel.org/stable/c/d88a1e8f024ba26e19350958fecbf771a9960352"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cde755f56163281ec2c46b4ae8b61f532758a6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3502dd42f178dae9d54696013386bb52b4f2e655"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/015bac5daca978448f2671478c553ce1f300c21e"
        }
      ],
      "title": "i40e: fix MMIO write access to an invalid page in i40e_clear_hw",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38200",
    "datePublished": "2025-07-04T13:37:22.076Z",
    "dateReserved": "2025-04-16T04:51:23.993Z",
    "dateUpdated": "2026-05-11T21:23:11.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38202 (GCVE-0-2025-38202)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf program. When BPF JIT is disabled or under 32-bit host, bpf_map_lookup_percpu_elem() will not be inlined. Using it in a sleepable bpf program will trigger the warning in bpf_map_lookup_percpu_elem(), because the bpf program only holds rcu_read_lock_trace lock. Therefore, add the missed check.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/2f8c69a72e8ad87b3…
https://git.kernel.org/stable/c/7bf4461f1c97207fd…
https://git.kernel.org/stable/c/2d834477bbc1e8b8a…
https://git.kernel.org/stable/c/b522d4d334f206284…
https://git.kernel.org/stable/c/d4965578267e2e81f…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 07343110b293456d30393e89b86c4dee1ac051c8 , < 2f8c69a72e8ad87b36b8052f789da3cc2b2e186c (git) Affected: 07343110b293456d30393e89b86c4dee1ac051c8 , < 7bf4461f1c97207fda757014690d55a447ce859f (git) Affected: 07343110b293456d30393e89b86c4dee1ac051c8 , < 2d834477bbc1e8b8a59ff8b0c081529d6bed7b22 (git) Affected: 07343110b293456d30393e89b86c4dee1ac051c8 , < b522d4d334f206284b1a44b0b0b2f99fd443b39b (git) Affected: 07343110b293456d30393e89b86c4dee1ac051c8 , < d4965578267e2e81f67c86e2608481e77e9c8569 (git)
Linux	Linux	Affected: 5.19 Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:24.781Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2f8c69a72e8ad87b36b8052f789da3cc2b2e186c",
              "status": "affected",
              "version": "07343110b293456d30393e89b86c4dee1ac051c8",
              "versionType": "git"
            },
            {
              "lessThan": "7bf4461f1c97207fda757014690d55a447ce859f",
              "status": "affected",
              "version": "07343110b293456d30393e89b86c4dee1ac051c8",
              "versionType": "git"
            },
            {
              "lessThan": "2d834477bbc1e8b8a59ff8b0c081529d6bed7b22",
              "status": "affected",
              "version": "07343110b293456d30393e89b86c4dee1ac051c8",
              "versionType": "git"
            },
            {
              "lessThan": "b522d4d334f206284b1a44b0b0b2f99fd443b39b",
              "status": "affected",
              "version": "07343110b293456d30393e89b86c4dee1ac051c8",
              "versionType": "git"
            },
            {
              "lessThan": "d4965578267e2e81f67c86e2608481e77e9c8569",
              "status": "affected",
              "version": "07343110b293456d30393e89b86c4dee1ac051c8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()\n\nbpf_map_lookup_percpu_elem() helper is also available for sleepable bpf\nprogram. When BPF JIT is disabled or under 32-bit host,\nbpf_map_lookup_percpu_elem() will not be inlined. Using it in a\nsleepable bpf program will trigger the warning in\nbpf_map_lookup_percpu_elem(), because the bpf program only holds\nrcu_read_lock_trace lock. Therefore, add the missed check."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:13.711Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2f8c69a72e8ad87b36b8052f789da3cc2b2e186c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bf4461f1c97207fda757014690d55a447ce859f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d834477bbc1e8b8a59ff8b0c081529d6bed7b22"
        },
        {
          "url": "https://git.kernel.org/stable/c/b522d4d334f206284b1a44b0b0b2f99fd443b39b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4965578267e2e81f67c86e2608481e77e9c8569"
        }
      ],
      "title": "bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38202",
    "datePublished": "2025-07-04T13:37:23.347Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2026-05-11T21:23:13.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38211 (GCVE-0-2025-38211)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: <TASK> dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver. To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/013dcdf6f03bcedba…
https://git.kernel.org/stable/c/bf7eff5e3a36c54bb…
https://git.kernel.org/stable/c/3b4a50d733acad683…
https://git.kernel.org/stable/c/78381dc8a6b61c9bb…
https://git.kernel.org/stable/c/23a707bbcbea468ee…
https://git.kernel.org/stable/c/764c9f69beabef8bd…
https://git.kernel.org/stable/c/fd960b5ddf4faf00d…
https://git.kernel.org/stable/c/6883b680e703c6b2e…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 013dcdf6f03bcedbaf1669e3db71c34a197715b2 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 3b4a50d733acad6831f6bd9288a76a80f70650ac (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 78381dc8a6b61c9bb9987d37b4d671b99767c4a1 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 23a707bbcbea468eedb398832eeb7e8e0ceafd21 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 764c9f69beabef8bdc651a7746c59f7a340d104f (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < fd960b5ddf4faf00da43babdd3acda68842e1f6a (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 6883b680e703c6b2efddb4e7a8d891ce1803d06b (git)
Linux	Linux	Affected: 4.8 Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:29.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/iwcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "013dcdf6f03bcedbaf1669e3db71c34a197715b2",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "3b4a50d733acad6831f6bd9288a76a80f70650ac",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "78381dc8a6b61c9bb9987d37b4d671b99767c4a1",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "23a707bbcbea468eedb398832eeb7e8e0ceafd21",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "764c9f69beabef8bdc651a7746c59f7a340d104f",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "fd960b5ddf4faf00da43babdd3acda68842e1f6a",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            },
            {
              "lessThan": "6883b680e703c6b2efddb4e7a8d891ce1803d06b",
              "status": "affected",
              "version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/iwcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   \u003c/TASK\u003e\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:24.277Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
        },
        {
          "url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
        }
      ],
      "title": "RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38211",
    "datePublished": "2025-07-04T13:37:30.307Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2026-05-11T21:23:24.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38212 (GCVE-0-2025-38212)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-12 12:04

Title

ipc: fix to protect IPCS lookups using RCU

Summary

In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned().

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/5f1e1573bf1033039…
https://git.kernel.org/stable/c/b968ba8bfd9f90914…
https://git.kernel.org/stable/c/74bc813d11c30e28f…
https://git.kernel.org/stable/c/78297d53d3878d43c…
https://git.kernel.org/stable/c/5180561afff8e0f02…
https://git.kernel.org/stable/c/68c173ea138b66d7d…
https://git.kernel.org/stable/c/b0b6bf90ce2699a57…
https://git.kernel.org/stable/c/d66adabe91803ef34…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < 5f1e1573bf103303944fd7225559de5d8297539c (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < b968ba8bfd9f90914957bbbd815413bf6a98eca7 (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < 74bc813d11c30e28fc5261dc877cca662ccfac68 (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < 78297d53d3878d43c1d627d20cd09f611fa4b91d (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < 5180561afff8e0f029073c8c8117c95c6512d1f9 (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < 68c173ea138b66d7dd1fd980c9bc578a18e11884 (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < b0b6bf90ce2699a574b3683e22c44d0dcdd7a057 (git) Affected: b34a6b1da371ed8af1221459a18c67970f7e3d53 , < d66adabe91803ef34a8b90613c81267b5ded1472 (git)
Linux	Linux	Affected: 3.1 Unaffected: 0 , < 3.1 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:31.589Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:37.163Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "ipc/shm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f1e1573bf103303944fd7225559de5d8297539c",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "b968ba8bfd9f90914957bbbd815413bf6a98eca7",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "74bc813d11c30e28fc5261dc877cca662ccfac68",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "78297d53d3878d43c1d627d20cd09f611fa4b91d",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "5180561afff8e0f029073c8c8117c95c6512d1f9",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "68c173ea138b66d7dd1fd980c9bc578a18e11884",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "b0b6bf90ce2699a574b3683e22c44d0dcdd7a057",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            },
            {
              "lessThan": "d66adabe91803ef34a8b90613c81267b5ded1472",
              "status": "affected",
              "version": "b34a6b1da371ed8af1221459a18c67970f7e3d53",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "ipc/shm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "lessThan": "3.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix to protect IPCS lookups using RCU\n\nsyzbot reported that it discovered a use-after-free vulnerability, [0]\n\n[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/\n\nidr_for_each() is protected by rwsem, but this is not enough.  If it is\nnot protected by RCU read-critical region, when idr_for_each() calls\nradix_tree_node_free() through call_rcu() to free the radix_tree_node\nstructure, the node will be freed immediately, and when reading the next\nnode in radix_tree_for_each_slot(), the already freed memory may be read.\n\nTherefore, we need to add code to make sure that idr_for_each() is\nprotected within the RCU read-critical region when we call it in\nshm_destroy_orphaned()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:25.493Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f1e1573bf103303944fd7225559de5d8297539c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b968ba8bfd9f90914957bbbd815413bf6a98eca7"
        },
        {
          "url": "https://git.kernel.org/stable/c/74bc813d11c30e28fc5261dc877cca662ccfac68"
        },
        {
          "url": "https://git.kernel.org/stable/c/78297d53d3878d43c1d627d20cd09f611fa4b91d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5180561afff8e0f029073c8c8117c95c6512d1f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/68c173ea138b66d7dd1fd980c9bc578a18e11884"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0b6bf90ce2699a574b3683e22c44d0dcdd7a057"
        },
        {
          "url": "https://git.kernel.org/stable/c/d66adabe91803ef34a8b90613c81267b5ded1472"
        }
      ],
      "title": "ipc: fix to protect IPCS lookups using RCU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38212",
    "datePublished": "2025-07-04T13:37:30.957Z",
    "dateReserved": "2025-04-16T04:51:23.994Z",
    "dateUpdated": "2026-05-12T12:04:37.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38214 (GCVE-0-2025-38214)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-12 12:04

Title

fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ The reason is that fb_info->var is being modified in fb_set_var(), and then fb_videomode_to_var() is called. If it fails to add the mode to fb_info->modelist, fb_set_var() returns error, but does not restore the old value of fb_info->var. Restore fb_info->var on failure the same way it is done earlier in the function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/ee20216f12d9482cd…
https://git.kernel.org/stable/c/fab201d72fde38d08…
https://git.kernel.org/stable/c/1a10d91766eb6ddfd…
https://git.kernel.org/stable/c/ff0e037241173b574…
https://git.kernel.org/stable/c/3ca78032a388a0795…
https://git.kernel.org/stable/c/b3071bb463ea1e6c6…
https://git.kernel.org/stable/c/8a3a2887794b2c8e7…
https://git.kernel.org/stable/c/05f6e183879d9785a…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ee20216f12d9482cd70e44dae5e7fabb38367c71 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fab201d72fde38d081e2c5d4ad25595c535b7b22 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a10d91766eb6ddfd5414e4785611e33a4fe0f9b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ff0e037241173b574b385bff53d67567b9816db5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3ca78032a388a0795201792b36e6fc9b6e6e8eed (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b3071bb463ea1e6c686d0dc9638fc940f2f5cf17 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a3a2887794b2c8e78b3e5d6e3de724527c9f41b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 05f6e183879d9785a3cdf2f08a498bc31b7a20aa (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:33.497Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:38.367Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee20216f12d9482cd70e44dae5e7fabb38367c71",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fab201d72fde38d081e2c5d4ad25595c535b7b22",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1a10d91766eb6ddfd5414e4785611e33a4fe0f9b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ff0e037241173b574b385bff53d67567b9816db5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3ca78032a388a0795201792b36e6fc9b6e6e8eed",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b3071bb463ea1e6c686d0dc9638fc940f2f5cf17",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8a3a2887794b2c8e78b3e5d6e3de724527c9f41b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "05f6e183879d9785a3cdf2f08a498bc31b7a20aa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in fb_set_var() fails to allocate memory for\nfb_videomode, later it may lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info-\u003evar.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nThe reason is that fb_info-\u003evar is being modified in fb_set_var(), and\nthen fb_videomode_to_var() is called. If it fails to add the mode to\nfb_info-\u003emodelist, fb_set_var() returns error, but does not restore the\nold value of fb_info-\u003evar. Restore fb_info-\u003evar on failure the same way\nit is done earlier in the function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:26.706Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee20216f12d9482cd70e44dae5e7fabb38367c71"
        },
        {
          "url": "https://git.kernel.org/stable/c/fab201d72fde38d081e2c5d4ad25595c535b7b22"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a10d91766eb6ddfd5414e4785611e33a4fe0f9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff0e037241173b574b385bff53d67567b9816db5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ca78032a388a0795201792b36e6fc9b6e6e8eed"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3071bb463ea1e6c686d0dc9638fc940f2f5cf17"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a3a2887794b2c8e78b3e5d6e3de724527c9f41b"
        },
        {
          "url": "https://git.kernel.org/stable/c/05f6e183879d9785a3cdf2f08a498bc31b7a20aa"
        }
      ],
      "title": "fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38214",
    "datePublished": "2025-07-04T13:37:32.410Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-12T12:04:38.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38215 (GCVE-0-2025-38215)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-12 12:04

Title

fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ Even though fbcon_init() checks beforehand if fb_match_mode() in var_to_display() fails, it can not prevent the panic because fbcon_init() does not return error code. Considering this and the comment in the code about fb_match_mode() returning NULL - "This should not happen" - it is better to prevent registering the fb_info if its mode was not set successfully. Also move fb_add_videomode() closer to the beginning of do_register_framebuffer() to avoid having to do the cleanup on fail. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/908c5bb64f9c43199…
https://git.kernel.org/stable/c/0909b2b49c4546a7a…
https://git.kernel.org/stable/c/3f2098f4fba7718eb…
https://git.kernel.org/stable/c/d803c4c2a4ac8ce2b…
https://git.kernel.org/stable/c/17186f1f90d34fa70…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 908c5bb64f9c4319902b8ca1aa3fef8f83302520 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0909b2b49c4546a7a08c80f53d93736b63270827 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3f2098f4fba7718eb2501207ca6e99d22427f25a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d803c4c2a4ac8ce2be6d899d5c7ab0bf7ec355e9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17186f1f90d34fa701e4f14e6818305151637b9e (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:34.466Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:39.592Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "908c5bb64f9c4319902b8ca1aa3fef8f83302520",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0909b2b49c4546a7a08c80f53d93736b63270827",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3f2098f4fba7718eb2501207ca6e99d22427f25a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d803c4c2a4ac8ce2be6d899d5c7ab0bf7ec355e9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17186f1f90d34fa701e4f14e6818305151637b9e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var\n\nIf fb_add_videomode() in do_register_framebuffer() fails to allocate\nmemory for fb_videomode, it will later lead to a null-ptr dereference in\nfb_videomode_to_var(), as the fb_info is registered while not having the\nmode in modelist that is expected to be there, i.e. the one that is\ndescribed in fb_info-\u003evar.\n\n================================================================\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901\nCall Trace:\n display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929\n fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071\n resize_screen drivers/tty/vt/vt.c:1176 [inline]\n vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263\n fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720\n fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776\n do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128\n fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203\n vfs_ioctl fs/ioctl.c:48 [inline]\n __do_sys_ioctl fs/ioctl.c:753 [inline]\n __se_sys_ioctl fs/ioctl.c:739 [inline]\n __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n================================================================\n\nEven though fbcon_init() checks beforehand if fb_match_mode() in\nvar_to_display() fails, it can not prevent the panic because fbcon_init()\ndoes not return error code. Considering this and the comment in the code\nabout fb_match_mode() returning NULL - \"This should not happen\" - it is\nbetter to prevent registering the fb_info if its mode was not set\nsuccessfully. Also move fb_add_videomode() closer to the beginning of\ndo_register_framebuffer() to avoid having to do the cleanup on fail.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:27.928Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/908c5bb64f9c4319902b8ca1aa3fef8f83302520"
        },
        {
          "url": "https://git.kernel.org/stable/c/0909b2b49c4546a7a08c80f53d93736b63270827"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f2098f4fba7718eb2501207ca6e99d22427f25a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d803c4c2a4ac8ce2be6d899d5c7ab0bf7ec355e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/17186f1f90d34fa701e4f14e6818305151637b9e"
        }
      ],
      "title": "fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38215",
    "datePublished": "2025-07-04T13:37:33.196Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-12T12:04:39.592Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38218 (GCVE-0-2025-38218)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

f2fs: fix to do sanity check on sit_bitmap_size

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sit_bitmap_size w/ below testcase, resize will generate a corrupted image which contains inconsistent metadata, so when mounting such image, it will trigger kernel panic: touch img truncate -s $((512*1024*1024*1024)) img mkfs.f2fs -f img $((256*1024*1024)) resize.f2fs -s -i img -t $((1024*1024*1024)) mount img /mnt/f2fs ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.h:863! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_ra_meta_pages+0x47c/0x490 Call Trace: f2fs_build_segment_manager+0x11c3/0x2600 f2fs_fill_super+0xe97/0x2840 mount_bdev+0xf4/0x140 legacy_get_tree+0x2b/0x50 vfs_get_tree+0x29/0xd0 path_mount+0x487/0xaf0 __x64_sys_mount+0x116/0x150 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdbfde1bcfe The reaseon is: sit_i->bitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum there are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt is 4762, build_sit_entries() -> current_sit_addr() tries to access out-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap and sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on(). Let's add sanity check in f2fs_sanity_check_ckpt() to avoid panic.

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/82f51bff393e4c12c…
https://git.kernel.org/stable/c/38ef48a8afef8df64…
https://git.kernel.org/stable/c/ad862f71016ba3803…
https://git.kernel.org/stable/c/79ef8a6c4ec53d327…
https://git.kernel.org/stable/c/ee1b421c469876544…
https://git.kernel.org/stable/c/3e5ac62a56a24f4d8…
https://git.kernel.org/stable/c/5db0d252c64e91ba1…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 82f51bff393e4c12cf4de553120ca831cfa4ef19 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 38ef48a8afef8df646b6f6ae7abb872f18b533c1 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < ad862f71016ba38039df1c96ed55c0a4314cc183 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 79ef8a6c4ec53d327580fd7d2b522cf4f1d05b0c (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < ee1b421c469876544e297ec1090574bd76100247 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 3e5ac62a56a24f4d88ce8ffd7bc452428b235868 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 5db0d252c64e91ba1929c70112352e85dc5751e7 (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:36.324Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "82f51bff393e4c12cf4de553120ca831cfa4ef19",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "38ef48a8afef8df646b6f6ae7abb872f18b533c1",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "ad862f71016ba38039df1c96ed55c0a4314cc183",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "79ef8a6c4ec53d327580fd7d2b522cf4f1d05b0c",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "ee1b421c469876544e297ec1090574bd76100247",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "3e5ac62a56a24f4d88ce8ffd7bc452428b235868",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "5db0d252c64e91ba1929c70112352e85dc5751e7",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sit_bitmap_size\n\nw/ below testcase, resize will generate a corrupted image which\ncontains inconsistent metadata, so when mounting such image, it\nwill trigger kernel panic:\n\ntouch img\ntruncate -s $((512*1024*1024*1024)) img\nmkfs.f2fs -f img $((256*1024*1024))\nresize.f2fs -s -i img -t $((1024*1024*1024))\nmount img /mnt/f2fs\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.h:863!\nOops: invalid opcode: 0000 [#1] SMP PTI\nCPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:f2fs_ra_meta_pages+0x47c/0x490\n\nCall Trace:\n f2fs_build_segment_manager+0x11c3/0x2600\n f2fs_fill_super+0xe97/0x2840\n mount_bdev+0xf4/0x140\n legacy_get_tree+0x2b/0x50\n vfs_get_tree+0x29/0xd0\n path_mount+0x487/0xaf0\n __x64_sys_mount+0x116/0x150\n do_syscall_64+0x82/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdbfde1bcfe\n\nThe reaseon is:\n\nsit_i-\u003ebitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum\nthere are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt\nis 4762, build_sit_entries() -\u003e current_sit_addr() tries to access\nout-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap\nand sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on().\n\nLet\u0027s add sanity check in f2fs_sanity_check_ckpt() to avoid panic."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:31.316Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/82f51bff393e4c12cf4de553120ca831cfa4ef19"
        },
        {
          "url": "https://git.kernel.org/stable/c/38ef48a8afef8df646b6f6ae7abb872f18b533c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad862f71016ba38039df1c96ed55c0a4314cc183"
        },
        {
          "url": "https://git.kernel.org/stable/c/79ef8a6c4ec53d327580fd7d2b522cf4f1d05b0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee1b421c469876544e297ec1090574bd76100247"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e5ac62a56a24f4d88ce8ffd7bc452428b235868"
        },
        {
          "url": "https://git.kernel.org/stable/c/5db0d252c64e91ba1929c70112352e85dc5751e7"
        }
      ],
      "title": "f2fs: fix to do sanity check on sit_bitmap_size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38218",
    "datePublished": "2025-07-04T13:37:35.157Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-11T21:23:31.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38219 (GCVE-0-2025-38219)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

f2fs: prevent kernel warning due to negative i_nlink from corrupted image

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Modules linked in: CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted 6.14.0-12627-g94d471a4f428 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Code: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff f0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90 <0f> 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6 ff RSP: 0018:ffffc900026b7c28 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f RDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005 RBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000 R13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0 FS: 000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0 Call Trace: <task> f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline] f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845 f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909 f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581 vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544 do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608 __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline] __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline] __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652 do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb3d092324b Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b RDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0 RBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0 R10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0 R13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001 </task>

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/d9a55869d8237e677…
https://git.kernel.org/stable/c/1f6332872374b7f48…
https://git.kernel.org/stable/c/fbfe8446cd3274b9e…
https://git.kernel.org/stable/c/5018d035530b6fbfa…
https://git.kernel.org/stable/c/a87cbcc909ccfd394…
https://git.kernel.org/stable/c/aaa644e7ffff02e12…
https://git.kernel.org/stable/c/d14cbed4baccd7124…
https://git.kernel.org/stable/c/42cb74a92adaf8806…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < d9a55869d8237e677ddaa18b0f58586364cfbc1c (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 1f6332872374b7f482fc4ad865f9422fedb587fc (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < fbfe8446cd3274b9e367f5708d94574230a44409 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 5018d035530b6fbfad33eeb1dd1bc87da419a276 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < a87cbcc909ccfd394d4936a94663f586453d0961 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < aaa644e7ffff02e12c89cbce4753bc0b6f23ff87 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < d14cbed4baccd712447fb3f9c011f008b56b2097 (git) Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 42cb74a92adaf88061039601ddf7c874f58b554e (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:38.286Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d9a55869d8237e677ddaa18b0f58586364cfbc1c",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "1f6332872374b7f482fc4ad865f9422fedb587fc",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "fbfe8446cd3274b9e367f5708d94574230a44409",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "5018d035530b6fbfad33eeb1dd1bc87da419a276",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "a87cbcc909ccfd394d4936a94663f586453d0961",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "aaa644e7ffff02e12c89cbce4753bc0b6f23ff87",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "d14cbed4baccd712447fb3f9c011f008b56b2097",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "42cb74a92adaf88061039601ddf7c874f58b554e",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: prevent kernel warning due to negative i_nlink from corrupted image\n\nWARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0\nhome/cc/linux/fs/inode.c:417\nModules linked in:\nCPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted\n6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417\nCode: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff\nf0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90\n\u0026lt;0f\u0026gt; 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6\nff\nRSP: 0018:ffffc900026b7c28 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f\nRDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005\nRBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000\nR13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0\nFS:  000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0\nCall Trace:\n \u003ctask\u003e\n f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline]\n f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845\n f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909\n f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581\n vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544\n do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608\n __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline]\n __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline]\n __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652\n do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fb3d092324b\nCode: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66\n2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05\n\u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01\n48\nRSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b\nRDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0\nRBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0\nR10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0\nR13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001\n \u003c/task\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:32.415Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d9a55869d8237e677ddaa18b0f58586364cfbc1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f6332872374b7f482fc4ad865f9422fedb587fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbfe8446cd3274b9e367f5708d94574230a44409"
        },
        {
          "url": "https://git.kernel.org/stable/c/5018d035530b6fbfad33eeb1dd1bc87da419a276"
        },
        {
          "url": "https://git.kernel.org/stable/c/a87cbcc909ccfd394d4936a94663f586453d0961"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaa644e7ffff02e12c89cbce4753bc0b6f23ff87"
        },
        {
          "url": "https://git.kernel.org/stable/c/d14cbed4baccd712447fb3f9c011f008b56b2097"
        },
        {
          "url": "https://git.kernel.org/stable/c/42cb74a92adaf88061039601ddf7c874f58b554e"
        }
      ],
      "title": "f2fs: prevent kernel warning due to negative i_nlink from corrupted image",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38219",
    "datePublished": "2025-07-04T13:37:35.984Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-11T21:23:32.415Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38222 (GCVE-0-2025-38222)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-12 12:04

Title

ext4: inline: fix len overflow in ext4_prepare_inline_data

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL << 40) + 5UL); That happens because write_begin will succeed as when ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len will be truncated, leading to ext4_prepare_inline_data parameter to be 6 instead of 0x10000000006. Then, later when write_end is called, we hit: BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); at ext4_write_inline_data. Fix it by using a loff_t type for the len parameter in ext4_prepare_inline_data instead of an unsigned int. [ 44.545164] ------------[ cut here ]------------ [ 44.545530] kernel BUG at fs/ext4/inline.c:240! [ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb [ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100 [ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49 [ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216 [ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006 [ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738 [ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000 [ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738 [ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000 [ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0 [ 44.546523] PKRU: 55555554 [ 44.546523] Call Trace: [ 44.546523] <TASK> [ 44.546523] ext4_write_inline_data_end+0x126/0x2d0 [ 44.546523] generic_perform_write+0x17e/0x270 [ 44.546523] ext4_buffered_write_iter+0xc8/0x170 [ 44.546523] vfs_write+0x2be/0x3e0 [ 44.546523] __x64_sys_pwrite64+0x6d/0xc0 [ 44.546523] do_syscall_64+0x6a/0xf0 [ 44.546523] ? __wake_up+0x89/0xb0 [ 44.546523] ? xas_find+0x72/0x1c0 [ 44.546523] ? next_uptodate_folio+0x317/0x330 [ 44.546523] ? set_pte_range+0x1a6/0x270 [ 44.546523] ? filemap_map_pages+0x6ee/0x840 [ 44.546523] ? ext4_setattr+0x2fa/0x750 [ 44.546523] ? do_pte_missing+0x128/0xf70 [ 44.546523] ? security_inode_post_setattr+0x3e/0xd0 [ 44.546523] ? ___pte_offset_map+0x19/0x100 [ 44.546523] ? handle_mm_fault+0x721/0xa10 [ 44.546523] ? do_user_addr_fault+0x197/0x730 [ 44.546523] ? do_syscall_64+0x76/0xf0 [ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60 [ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90 [ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 44.546523] RIP: 0033:0x7f42999c6687 [ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012 [ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687 [ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003 [ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000 [ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000 ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/d3dfc60efd145df53…
https://git.kernel.org/stable/c/717414a8c083c376d…
https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76…
https://git.kernel.org/stable/c/cf5f319a2d8ab8238…
https://git.kernel.org/stable/c/26e09d18599da0adc…
https://git.kernel.org/stable/c/5766da2237e539f25…
https://git.kernel.org/stable/c/e80ee0263d88d77f2…
https://git.kernel.org/stable/c/227cb4ca5a6502164…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < d3dfc60efd145df5324b99a244b0b05505cde29b (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 717414a8c083c376d4a8940a1230fe0c6ed4ee00 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < cf5f319a2d8ab8238f8cf3a19463b9bff6420934 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 26e09d18599da0adc543eabd300080daaeda6869 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 5766da2237e539f259aa0e5f3639ae37b44ca458 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < e80ee0263d88d77f2fd1927f915003a7066cbb50 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 227cb4ca5a6502164f850d22aec3104d7888b270 (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:40.178Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:40.912Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d3dfc60efd145df5324b99a244b0b05505cde29b",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "717414a8c083c376d4a8940a1230fe0c6ed4ee00",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "cf5f319a2d8ab8238f8cf3a19463b9bff6420934",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "26e09d18599da0adc543eabd300080daaeda6869",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "5766da2237e539f259aa0e5f3639ae37b44ca458",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "e80ee0263d88d77f2fd1927f915003a7066cbb50",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "227cb4ca5a6502164f850d22aec3104d7888b270",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: inline: fix len overflow in ext4_prepare_inline_data\n\nWhen running the following code on an ext4 filesystem with inline_data\nfeature enabled, it will lead to the bug below.\n\n        fd = open(\"file1\", O_RDWR | O_CREAT | O_TRUNC, 0666);\n        ftruncate(fd, 30);\n        pwrite(fd, \"a\", 1, (1UL \u003c\u003c 40) + 5UL);\n\nThat happens because write_begin will succeed as when\next4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len\nwill be truncated, leading to ext4_prepare_inline_data parameter to be 6\ninstead of 0x10000000006.\n\nThen, later when write_end is called, we hit:\n\n        BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nat ext4_write_inline_data.\n\nFix it by using a loff_t type for the len parameter in\next4_prepare_inline_data instead of an unsigned int.\n\n[   44.545164] ------------[ cut here ]------------\n[   44.545530] kernel BUG at fs/ext4/inline.c:240!\n[   44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[   44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full)  112853fcebfdb93254270a7959841d2c6aa2c8bb\n[   44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[   44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100\n[   44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b \u003c0f\u003e 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49\n[   44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216\n[   44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006\n[   44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738\n[   44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\n[   44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000\n[   44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738\n[   44.546523] FS:  00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000\n[   44.546523] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0\n[   44.546523] PKRU: 55555554\n[   44.546523] Call Trace:\n[   44.546523]  \u003cTASK\u003e\n[   44.546523]  ext4_write_inline_data_end+0x126/0x2d0\n[   44.546523]  generic_perform_write+0x17e/0x270\n[   44.546523]  ext4_buffered_write_iter+0xc8/0x170\n[   44.546523]  vfs_write+0x2be/0x3e0\n[   44.546523]  __x64_sys_pwrite64+0x6d/0xc0\n[   44.546523]  do_syscall_64+0x6a/0xf0\n[   44.546523]  ? __wake_up+0x89/0xb0\n[   44.546523]  ? xas_find+0x72/0x1c0\n[   44.546523]  ? next_uptodate_folio+0x317/0x330\n[   44.546523]  ? set_pte_range+0x1a6/0x270\n[   44.546523]  ? filemap_map_pages+0x6ee/0x840\n[   44.546523]  ? ext4_setattr+0x2fa/0x750\n[   44.546523]  ? do_pte_missing+0x128/0xf70\n[   44.546523]  ? security_inode_post_setattr+0x3e/0xd0\n[   44.546523]  ? ___pte_offset_map+0x19/0x100\n[   44.546523]  ? handle_mm_fault+0x721/0xa10\n[   44.546523]  ? do_user_addr_fault+0x197/0x730\n[   44.546523]  ? do_syscall_64+0x76/0xf0\n[   44.546523]  ? arch_exit_to_user_mode_prepare+0x1e/0x60\n[   44.546523]  ? irqentry_exit_to_user_mode+0x79/0x90\n[   44.546523]  entry_SYSCALL_64_after_hwframe+0x55/0x5d\n[   44.546523] RIP: 0033:0x7f42999c6687\n[   44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff\n[   44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012\n[   44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687\n[   44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003\n[   44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000\n[   44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:35.885Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d3dfc60efd145df5324b99a244b0b05505cde29b"
        },
        {
          "url": "https://git.kernel.org/stable/c/717414a8c083c376d4a8940a1230fe0c6ed4ee00"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d1d1c5bf4fc1af76be154d3afb2acdbd89ec7d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf5f319a2d8ab8238f8cf3a19463b9bff6420934"
        },
        {
          "url": "https://git.kernel.org/stable/c/26e09d18599da0adc543eabd300080daaeda6869"
        },
        {
          "url": "https://git.kernel.org/stable/c/5766da2237e539f259aa0e5f3639ae37b44ca458"
        },
        {
          "url": "https://git.kernel.org/stable/c/e80ee0263d88d77f2fd1927f915003a7066cbb50"
        },
        {
          "url": "https://git.kernel.org/stable/c/227cb4ca5a6502164f850d22aec3104d7888b270"
        }
      ],
      "title": "ext4: inline: fix len overflow in ext4_prepare_inline_data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38222",
    "datePublished": "2025-07-04T13:37:37.879Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-12T12:04:40.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0698

Solutions

CVE-2025-38198 (GCVE-0-2025-38198)

CVE-2025-38200 (GCVE-0-2025-38200)

CVE-2025-38202 (GCVE-0-2025-38202)

CVE-2025-38211 (GCVE-0-2025-38211)

CVE-2025-38212 (GCVE-0-2025-38212)

CVE-2025-38214 (GCVE-0-2025-38214)

CVE-2025-38215 (GCVE-0-2025-38215)

CVE-2025-38218 (GCVE-0-2025-38218)

CVE-2025-38219 (GCVE-0-2025-38219)

CVE-2025-38222 (GCVE-0-2025-38222)

Tags

Sightings

Nomenclature