Vulnerability-Lookup

CERTFR-2025-AVI-0698

Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian bookworm versions antérieures à 6.1.147-1
	Debian	Debian	Debian trixie versions antérieures à 6.12.41-1

References

Title

Publication Time

CVE-2025-38225 (GCVE-0-2025-38225)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

media: imx-jpeg: Cleanup after an allocation error

Summary

In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after an allocation error When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed allocations to prevent these issues.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/b89ff9cf37ff59399…
https://git.kernel.org/stable/c/ec26be7d6355a0555…
https://git.kernel.org/stable/c/0ee9469f818a0b4de…
https://git.kernel.org/stable/c/6d0efe7d35c75394f…
https://git.kernel.org/stable/c/7500bb9cf164edbb2…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 2db16c6ed72ce644d5639b3ed15e5817442db4ba , < b89ff9cf37ff59399f850d5f7781ef78fc37679f (git) Affected: 2db16c6ed72ce644d5639b3ed15e5817442db4ba , < ec26be7d6355a05552a0d0c1e73031f83aa4dc7f (git) Affected: 2db16c6ed72ce644d5639b3ed15e5817442db4ba , < 0ee9469f818a0b4de3c0e7aecd733c103820d181 (git) Affected: 2db16c6ed72ce644d5639b3ed15e5817442db4ba , < 6d0efe7d35c75394f32ff9d0650a007642d23857 (git) Affected: 2db16c6ed72ce644d5639b3ed15e5817442db4ba , < 7500bb9cf164edbb2c8117d57620227b1a4a8369 (git)
Linux	Linux	Affected: 5.13 Unaffected: 0 , < 5.13 (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:41.120Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b89ff9cf37ff59399f850d5f7781ef78fc37679f",
              "status": "affected",
              "version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
              "versionType": "git"
            },
            {
              "lessThan": "ec26be7d6355a05552a0d0c1e73031f83aa4dc7f",
              "status": "affected",
              "version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
              "versionType": "git"
            },
            {
              "lessThan": "0ee9469f818a0b4de3c0e7aecd733c103820d181",
              "status": "affected",
              "version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
              "versionType": "git"
            },
            {
              "lessThan": "6d0efe7d35c75394f32ff9d0650a007642d23857",
              "status": "affected",
              "version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
              "versionType": "git"
            },
            {
              "lessThan": "7500bb9cf164edbb2c8117d57620227b1a4a8369",
              "status": "affected",
              "version": "2db16c6ed72ce644d5639b3ed15e5817442db4ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx-jpeg: Cleanup after an allocation error\n\nWhen allocation failures are not cleaned up by the driver, further\nallocation errors will be false-positives, which will cause buffers to\nremain uninitialized and cause NULL pointer dereferences.\nEnsure proper cleanup of failed allocations to prevent these issues."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:39.462Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b89ff9cf37ff59399f850d5f7781ef78fc37679f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec26be7d6355a05552a0d0c1e73031f83aa4dc7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ee9469f818a0b4de3c0e7aecd733c103820d181"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d0efe7d35c75394f32ff9d0650a007642d23857"
        },
        {
          "url": "https://git.kernel.org/stable/c/7500bb9cf164edbb2c8117d57620227b1a4a8369"
        }
      ],
      "title": "media: imx-jpeg: Cleanup after an allocation error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38225",
    "datePublished": "2025-07-04T13:37:40.205Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-11T21:23:39.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38226 (GCVE-0-2025-38226)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-23 15:59

Title

media: vivid: Change the siize of the composing

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/57597d8db5bbda618…
https://git.kernel.org/stable/c/635cea4f44c1ddae2…
https://git.kernel.org/stable/c/89b5ab822bf69867c…
https://git.kernel.org/stable/c/5d89aa42534723400…
https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b…
https://git.kernel.org/stable/c/00da1c767a6567e56…
https://git.kernel.org/stable/c/c56398885716d97ee…
https://git.kernel.org/stable/c/f83ac8d30c43fd902…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 54f259906039dbfe46c550011409fa16f72370f6 , < 57597d8db5bbda618ba2145b7e8a7e6f01b6a27e (git) Affected: f9d19f3a044ca651b0be52a4bf951ffe74259b9f , < 635cea4f44c1ddae208666772c164eab5a6bce39 (git) Affected: ab54081a2843aefb837812fac5488cc8f1696142 , < 89b5ab822bf69867c3951dd0eb34b0314c38966b (git) Affected: 2f558c5208b0f70c8140e08ce09fcc84da48e789 , < 5d89aa42534723400fefd46e26e053b9c382b4ee (git) Affected: 94a7ad9283464b75b12516c5512541d467cefcf8 , < f6b1b0f8ba0b61d8b511df5649d57235f230c135 (git) Affected: 94a7ad9283464b75b12516c5512541d467cefcf8 , < 00da1c767a6567e56f23dda586847586868ac064 (git) Affected: 94a7ad9283464b75b12516c5512541d467cefcf8 , < c56398885716d97ee9bcadb2bc9663a8c1757a34 (git) Affected: 94a7ad9283464b75b12516c5512541d467cefcf8 , < f83ac8d30c43fd902af7c84c480f216157b60ef0 (git) Affected: 8c0ee15d9a102c732d0745566d254040085d5663 (git) Affected: 5edc3604151919da8da0fb092b71d7dce07d848a (git) Affected: 9c7fba9503b826f0c061d136f8f0c9f953ed18b9 (git) Affected: ccb5392c4fea0e7d9f7ab35567e839d74cb3998b (git) Affected: 5.4.229 , < 5.4.296 (semver) Affected: 5.10.163 , < 5.10.239 (semver) Affected: 5.15.86 , < 5.15.186 (semver) Affected: 6.1.2 , < 6.1.142 (semver) Affected: 4.9.337 , < 4.10 (semver) Affected: 4.14.303 , < 4.15 (semver) Affected: 4.19.270 , < 4.20 (semver) Affected: 6.0.16 , < 6.1 (semver)
Linux	Linux	Affected: 6.2 Unaffected: 0 , < 6.2 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:42.979Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vivid/vivid-vid-cap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57597d8db5bbda618ba2145b7e8a7e6f01b6a27e",
              "status": "affected",
              "version": "54f259906039dbfe46c550011409fa16f72370f6",
              "versionType": "git"
            },
            {
              "lessThan": "635cea4f44c1ddae208666772c164eab5a6bce39",
              "status": "affected",
              "version": "f9d19f3a044ca651b0be52a4bf951ffe74259b9f",
              "versionType": "git"
            },
            {
              "lessThan": "89b5ab822bf69867c3951dd0eb34b0314c38966b",
              "status": "affected",
              "version": "ab54081a2843aefb837812fac5488cc8f1696142",
              "versionType": "git"
            },
            {
              "lessThan": "5d89aa42534723400fefd46e26e053b9c382b4ee",
              "status": "affected",
              "version": "2f558c5208b0f70c8140e08ce09fcc84da48e789",
              "versionType": "git"
            },
            {
              "lessThan": "f6b1b0f8ba0b61d8b511df5649d57235f230c135",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "lessThan": "00da1c767a6567e56f23dda586847586868ac064",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "lessThan": "c56398885716d97ee9bcadb2bc9663a8c1757a34",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "lessThan": "f83ac8d30c43fd902af7c84c480f216157b60ef0",
              "status": "affected",
              "version": "94a7ad9283464b75b12516c5512541d467cefcf8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8c0ee15d9a102c732d0745566d254040085d5663",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5edc3604151919da8da0fb092b71d7dce07d848a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9c7fba9503b826f0c061d136f8f0c9f953ed18b9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ccb5392c4fea0e7d9f7ab35567e839d74cb3998b",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.296",
              "status": "affected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.239",
              "status": "affected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.186",
              "status": "affected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.142",
              "status": "affected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.337",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1",
              "status": "affected",
              "version": "6.0.16",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vivid/vivid-vid-cap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.4.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10.163",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15.86",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.337",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.303",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.270",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsyzkaller found a bug:\n\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\nBUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\nWrite of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304\n\nCPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106\n tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]\n tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705\n vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]\n vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629\n vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767\n kthread+0x7a9/0x920 kernel/kthread.c:464\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e\n\nThe composition size cannot be larger than the size of fmt_cap_rect.\nSo execute v4l2_rect_map_inside() even if has_compose_cap == 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:59:14.906Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57597d8db5bbda618ba2145b7e8a7e6f01b6a27e"
        },
        {
          "url": "https://git.kernel.org/stable/c/635cea4f44c1ddae208666772c164eab5a6bce39"
        },
        {
          "url": "https://git.kernel.org/stable/c/89b5ab822bf69867c3951dd0eb34b0314c38966b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d89aa42534723400fefd46e26e053b9c382b4ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6b1b0f8ba0b61d8b511df5649d57235f230c135"
        },
        {
          "url": "https://git.kernel.org/stable/c/00da1c767a6567e56f23dda586847586868ac064"
        },
        {
          "url": "https://git.kernel.org/stable/c/c56398885716d97ee9bcadb2bc9663a8c1757a34"
        },
        {
          "url": "https://git.kernel.org/stable/c/f83ac8d30c43fd902af7c84c480f216157b60ef0"
        }
      ],
      "title": "media: vivid: Change the siize of the composing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38226",
    "datePublished": "2025-07-04T13:37:40.977Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-23T15:59:14.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38227 (GCVE-0-2025-38227)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

media: vidtv: Terminating the subsequent process of initialization failure

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK> Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/e1d72ff111eceea6b…
https://git.kernel.org/stable/c/7e62be1f3b241bc9f…
https://git.kernel.org/stable/c/685c18bc5a36f823e…
https://git.kernel.org/stable/c/9824e1732a163e005…
https://git.kernel.org/stable/c/72541cae73d0809a6…
https://git.kernel.org/stable/c/f8c2483be6e8bb6c2…
https://git.kernel.org/stable/c/1d5f88f0534803268…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < e1d72ff111eceea6b28dccb7ca4e8f4900b11729 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 7e62be1f3b241bc9faee547864bb39332955509b (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 685c18bc5a36f823ee725e85aac1303ef5f535ba (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 9824e1732a163e005aa84e12ec439493ebd4f097 (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 72541cae73d0809a6416bfcd2ee6473046a0013a (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < f8c2483be6e8bb6c2148315b4a924c65bb442b5e (git) Affected: 3be8037960bccd13052cfdeba8805ad785041d70 , < 1d5f88f053480326873115092bc116b7d14916ba (git)
Linux	Linux	Affected: 5.10 Unaffected: 0 , < 5.10 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:44.869Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_channel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1d72ff111eceea6b28dccb7ca4e8f4900b11729",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "7e62be1f3b241bc9faee547864bb39332955509b",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "685c18bc5a36f823ee725e85aac1303ef5f535ba",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "9824e1732a163e005aa84e12ec439493ebd4f097",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "72541cae73d0809a6416bfcd2ee6473046a0013a",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "f8c2483be6e8bb6c2148315b4a924c65bb442b5e",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            },
            {
              "lessThan": "1d5f88f053480326873115092bc116b7d14916ba",
              "status": "affected",
              "version": "3be8037960bccd13052cfdeba8805ad785041d70",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_channel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Terminating the subsequent process of initialization failure\n\nsyzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]\n\nAfter PSI initialization fails, the si member is accessed again, resulting\nin this uaf.\n\nAfter si initialization fails, the subsequent process needs to be exited.\n\n[1]\nBUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]\nBUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nRead of size 8 at addr ffff88802fa42acc by task syz.2.37/6059\n\nCPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:94 [inline]\ndump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\nprint_address_description mm/kasan/report.c:408 [inline]\nprint_report+0xc3/0x670 mm/kasan/report.c:521\nkasan_report+0xd9/0x110 mm/kasan/report.c:634\nvidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78\nvidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524\nvidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\nvidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\ndmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\ndvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\ndvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\ndvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\ndvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\ndvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n__fput+0x3ff/0xb70 fs/file_table.c:464\ntask_work_run+0x14e/0x250 kernel/task_work.c:227\nexit_task_work include/linux/task_work.h:40 [inline]\ndo_exit+0xad8/0x2d70 kernel/exit.c:938\ndo_group_exit+0xd3/0x2a0 kernel/exit.c:1087\n__do_sys_exit_group kernel/exit.c:1098 [inline]\n__se_sys_exit_group kernel/exit.c:1096 [inline]\n__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096\nx64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f871d58d169\nCode: Unable to access opcode bytes at 0x7f871d58d13f.\nRSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169\nRDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003\nR13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840\n \u003c/TASK\u003e\n\nAllocated by task 6059:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n kmalloc_noprof include/linux/slab.h:901 [inline]\n kzalloc_noprof include/linux/slab.h:1037 [inline]\n vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970\n vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423\n vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194\n vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239\n dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973\n dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]\n dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537\n dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3ff/0xb70 fs/file_tabl\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:41.807Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1d72ff111eceea6b28dccb7ca4e8f4900b11729"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e62be1f3b241bc9faee547864bb39332955509b"
        },
        {
          "url": "https://git.kernel.org/stable/c/685c18bc5a36f823ee725e85aac1303ef5f535ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/9824e1732a163e005aa84e12ec439493ebd4f097"
        },
        {
          "url": "https://git.kernel.org/stable/c/72541cae73d0809a6416bfcd2ee6473046a0013a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8c2483be6e8bb6c2148315b4a924c65bb442b5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d5f88f053480326873115092bc116b7d14916ba"
        }
      ],
      "title": "media: vidtv: Terminating the subsequent process of initialization failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38227",
    "datePublished": "2025-07-04T13:37:41.922Z",
    "dateReserved": "2025-04-16T04:51:23.995Z",
    "dateUpdated": "2026-05-11T21:23:41.807Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38229 (GCVE-0-2025-38229)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

media: cxusb: no longer judge rbuf when the write fails

Summary

In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf. In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized. [1] BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev fs/read_write.c:848 [inline] vfs_writev+0x963/0x14e0 fs/read_write.c:1057 do_writev+0x247/0x5c0 fs/read_write.c:1101 __do_sys_writev fs/read_write.c:1169 [inline] __se_sys_writev fs/read_write.c:1166 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/77829a5f5a74026b8…
https://git.kernel.org/stable/c/390b864e328180210…
https://git.kernel.org/stable/c/41807a5f67420464a…
https://git.kernel.org/stable/c/84eca597baa346f09…
https://git.kernel.org/stable/c/04354c529c8246a38…
https://git.kernel.org/stable/c/9bff888c92f5c25ef…
https://git.kernel.org/stable/c/8b35b50b7e98d8e9a…
https://git.kernel.org/stable/c/73fb3b92da84637e3…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 77829a5f5a74026b888b0529628475b29750cef4 (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 390b864e3281802109dfe56e508396683e125653 (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 41807a5f67420464ac8ee7741504f6b5decb3b7c (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 84eca597baa346f09b30accdaeca10ced3eeba2d (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 04354c529c8246a38ae28f713fd6bfdc028113bc (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 9bff888c92f5c25effbb876d22a793c2388c1ccc (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 8b35b50b7e98d8e9a0a27257c8424448afae10de (git) Affected: 22c6d93a73105fddd58796d7cb10f5f90ee2a338 , < 73fb3b92da84637e3817580fa205d48065924e15 (git)
Linux	Linux	Affected: 2.6.13 Unaffected: 0 , < 2.6.13 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:46.753Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/dvb-usb/cxusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "77829a5f5a74026b888b0529628475b29750cef4",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "390b864e3281802109dfe56e508396683e125653",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "41807a5f67420464ac8ee7741504f6b5decb3b7c",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "84eca597baa346f09b30accdaeca10ced3eeba2d",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "04354c529c8246a38ae28f713fd6bfdc028113bc",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "9bff888c92f5c25effbb876d22a793c2388c1ccc",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "8b35b50b7e98d8e9a0a27257c8424448afae10de",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            },
            {
              "lessThan": "73fb3b92da84637e3817580fa205d48065924e15",
              "status": "affected",
              "version": "22c6d93a73105fddd58796d7cb10f5f90ee2a338",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/dvb-usb/cxusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.13"
            },
            {
              "lessThan": "2.6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cxusb: no longer judge rbuf when the write fails\n\nsyzbot reported a uninit-value in cxusb_i2c_xfer. [1]\n\nOnly when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()\nsucceeds and rlen is greater than 0, the read operation of usb_bulk_msg()\nwill be executed to read rlen bytes of data from the dvb device into the\nrbuf.\n\nIn this case, although rlen is 1, the write operation failed which resulted\nin the dvb read operation not being executed, and ultimately variable i was\nnot initialized.\n\n[1]\nBUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]\nBUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196\n cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]\n cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196\n __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1\n i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315\n i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343\n i2c_master_send include/linux/i2c.h:109 [inline]\n i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183\n do_loop_readv_writev fs/read_write.c:848 [inline]\n vfs_writev+0x963/0x14e0 fs/read_write.c:1057\n do_writev+0x247/0x5c0 fs/read_write.c:1101\n __do_sys_writev fs/read_write.c:1169 [inline]\n __se_sys_writev fs/read_write.c:1166 [inline]\n __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166\n x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:44.237Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/77829a5f5a74026b888b0529628475b29750cef4"
        },
        {
          "url": "https://git.kernel.org/stable/c/390b864e3281802109dfe56e508396683e125653"
        },
        {
          "url": "https://git.kernel.org/stable/c/41807a5f67420464ac8ee7741504f6b5decb3b7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/84eca597baa346f09b30accdaeca10ced3eeba2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/04354c529c8246a38ae28f713fd6bfdc028113bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bff888c92f5c25effbb876d22a793c2388c1ccc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b35b50b7e98d8e9a0a27257c8424448afae10de"
        },
        {
          "url": "https://git.kernel.org/stable/c/73fb3b92da84637e3817580fa205d48065924e15"
        }
      ],
      "title": "media: cxusb: no longer judge rbuf when the write fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38229",
    "datePublished": "2025-07-04T13:37:43.321Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-05-11T21:23:44.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38230 (GCVE-0-2025-38230)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-11 21:23

Title

jfs: validate AG parameters in dbMount() to prevent crashes

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/95ae5ee6069d9a594…
https://git.kernel.org/stable/c/a4259e72363e1ea20…
https://git.kernel.org/stable/c/c3705c82b7406a15e…
https://git.kernel.org/stable/c/9242ff6245527a3eb…
https://git.kernel.org/stable/c/0c40fa81f850556e9…
https://git.kernel.org/stable/c/8b69608c6b6779a7a…
https://git.kernel.org/stable/c/b62a1e59d8716bbd2…
https://git.kernel.org/stable/c/37bfb464ddca87f20…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 95ae5ee6069d9a5945772625f289422ef659221a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4259e72363e1ea204a97292001a9fc36c7e52fd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c3705c82b7406a15ef38a610d03bf6baa43d6e0c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9242ff6245527a3ebb693ddd175493b38ddca72f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c40fa81f850556e9aa0185fede9ef1112db7b39 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8b69608c6b6779a7ab07ce4467a56df90152cfb9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b62a1e59d8716bbd2e73660743fe06acc97ed7d1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 37bfb464ddca87f203071b5bd562cd91ddc0b40a (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:48.634Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95ae5ee6069d9a5945772625f289422ef659221a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a4259e72363e1ea204a97292001a9fc36c7e52fd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c3705c82b7406a15ef38a610d03bf6baa43d6e0c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9242ff6245527a3ebb693ddd175493b38ddca72f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0c40fa81f850556e9aa0185fede9ef1112db7b39",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8b69608c6b6779a7ab07ce4467a56df90152cfb9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b62a1e59d8716bbd2e73660743fe06acc97ed7d1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "37bfb464ddca87f203071b5bd562cd91ddc0b40a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_dmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: validate AG parameters in dbMount() to prevent crashes\n\nValidate db_agheight, db_agwidth, and db_agstart in dbMount to catch\ncorrupted metadata early and avoid undefined behavior in dbAllocAG.\nLimits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE:\n\n- agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift\n  (L2LPERCTL - 2*agheight) \u003e= 0.\n- agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight))\n  ensures agperlev \u003e= 1.\n  - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5).\n  - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG;\n    2^(10 - 2*agheight) prevents division to 0.\n- agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within\n  stree (size 1365).\n  - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8).\n\nUBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9\nshift exponent -335544310 is negative\nCPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468\n dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400\n dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613\n jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105\n jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:45.359Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95ae5ee6069d9a5945772625f289422ef659221a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4259e72363e1ea204a97292001a9fc36c7e52fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3705c82b7406a15ef38a610d03bf6baa43d6e0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9242ff6245527a3ebb693ddd175493b38ddca72f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c40fa81f850556e9aa0185fede9ef1112db7b39"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b69608c6b6779a7ab07ce4467a56df90152cfb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b62a1e59d8716bbd2e73660743fe06acc97ed7d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/37bfb464ddca87f203071b5bd562cd91ddc0b40a"
        }
      ],
      "title": "jfs: validate AG parameters in dbMount() to prevent crashes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38230",
    "datePublished": "2025-07-04T13:37:44.264Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-05-11T21:23:45.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38231 (GCVE-0-2025-38231)

Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-05-23 15:59

Title

nfsd: Initialize ssc before laundromat_work to prevent NULL dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed start of laundromat_work allows sufficient time for nfsd_ssc initialization to complete. However, when the kernel waits too long for userspace responses (e.g. in nfs4_state_start_net -> nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done -> cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the delayed work may start before nfsd_ssc initialization finishes. Fix this by moving nfsd_ssc initialization before starting laundromat_work.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/deaeb74ae93182528…
https://git.kernel.org/stable/c/0fccf5f01ed28725c…
https://git.kernel.org/stable/c/a97668ec6d73dab23…
https://git.kernel.org/stable/c/5060e1a5fef184bd1…
https://git.kernel.org/stable/c/d622c2ee6c08147ab…
https://git.kernel.org/stable/c/83ac1ba8ca102ab5c…
https://git.kernel.org/stable/c/b31da62889e6d6101…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: a4bc287943f5695209ff36bdc89f17b48d68fae7 , < deaeb74ae9318252829c59a84a7d2316fc335660 (git) Affected: f4e44b393389c77958f7c58bf4415032b4cda15b , < 0fccf5f01ed28725cc313a66ca1247eef911d55e (git) Affected: f4e44b393389c77958f7c58bf4415032b4cda15b , < a97668ec6d73dab237cd1c15efe012a10090a4ed (git) Affected: f4e44b393389c77958f7c58bf4415032b4cda15b , < 5060e1a5fef184bd11d298e3f0ee920d96a23236 (git) Affected: f4e44b393389c77958f7c58bf4415032b4cda15b , < d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0 (git) Affected: f4e44b393389c77958f7c58bf4415032b4cda15b , < 83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64 (git) Affected: f4e44b393389c77958f7c58bf4415032b4cda15b , < b31da62889e6d610114d81dc7a6edbcaa503fcf8 (git) Affected: 5.10.220 , < 5.10.239 (semver)
Linux	Linux	Affected: 5.14 Unaffected: 0 , < 5.14 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:50.505Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:42.144Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfssvc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "deaeb74ae9318252829c59a84a7d2316fc335660",
              "status": "affected",
              "version": "a4bc287943f5695209ff36bdc89f17b48d68fae7",
              "versionType": "git"
            },
            {
              "lessThan": "0fccf5f01ed28725cc313a66ca1247eef911d55e",
              "status": "affected",
              "version": "f4e44b393389c77958f7c58bf4415032b4cda15b",
              "versionType": "git"
            },
            {
              "lessThan": "a97668ec6d73dab237cd1c15efe012a10090a4ed",
              "status": "affected",
              "version": "f4e44b393389c77958f7c58bf4415032b4cda15b",
              "versionType": "git"
            },
            {
              "lessThan": "5060e1a5fef184bd11d298e3f0ee920d96a23236",
              "status": "affected",
              "version": "f4e44b393389c77958f7c58bf4415032b4cda15b",
              "versionType": "git"
            },
            {
              "lessThan": "d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0",
              "status": "affected",
              "version": "f4e44b393389c77958f7c58bf4415032b4cda15b",
              "versionType": "git"
            },
            {
              "lessThan": "83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64",
              "status": "affected",
              "version": "f4e44b393389c77958f7c58bf4415032b4cda15b",
              "versionType": "git"
            },
            {
              "lessThan": "b31da62889e6d610114d81dc7a6edbcaa503fcf8",
              "status": "affected",
              "version": "f4e44b393389c77958f7c58bf4415032b4cda15b",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.239",
              "status": "affected",
              "version": "5.10.220",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfssvc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10.220",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Initialize ssc before laundromat_work to prevent NULL dereference\n\nIn nfs4_state_start_net(), laundromat_work may access nfsd_ssc through\nnfs4_laundromat -\u003e nfsd4_ssc_expire_umount. If nfsd_ssc isn\u0027t initialized,\nthis can cause NULL pointer dereference.\n\nNormally the delayed start of laundromat_work allows sufficient time for\nnfsd_ssc initialization to complete. However, when the kernel waits too\nlong for userspace responses (e.g. in nfs4_state_start_net -\u003e\nnfsd4_end_grace -\u003e nfsd4_record_grace_done -\u003e nfsd4_cld_grace_done -\u003e\ncld_pipe_upcall -\u003e __cld_pipe_upcall -\u003e wait_for_completion path), the\ndelayed work may start before nfsd_ssc initialization finishes.\n\nFix this by moving nfsd_ssc initialization before starting laundromat_work."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:59:15.961Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/deaeb74ae9318252829c59a84a7d2316fc335660"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fccf5f01ed28725cc313a66ca1247eef911d55e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a97668ec6d73dab237cd1c15efe012a10090a4ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/5060e1a5fef184bd11d298e3f0ee920d96a23236"
        },
        {
          "url": "https://git.kernel.org/stable/c/d622c2ee6c08147ab8c9b9e37d93b6e95d3258e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/83ac1ba8ca102ab5c0ed4351f8ac6e74ac4d5d64"
        },
        {
          "url": "https://git.kernel.org/stable/c/b31da62889e6d610114d81dc7a6edbcaa503fcf8"
        }
      ],
      "title": "nfsd: Initialize ssc before laundromat_work to prevent NULL dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38231",
    "datePublished": "2025-07-04T13:37:44.978Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-05-23T15:59:15.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38236 (GCVE-0-2025-38236)

Vulnerability from cvelistv5 – Published: 2025-07-08 07:35 – Updated: 2026-05-12 12:04

Title

af_unix: Don't leave consecutive consumed OOB skbs.

Summary

In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_ ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/523edfed4f68b7794…
https://git.kernel.org/stable/c/a12237865b48a7318…
https://git.kernel.org/stable/c/fad0a2c16062ac7c6…
https://git.kernel.org/stable/c/61a9ad7b69ce68869…
https://git.kernel.org/stable/c/8db4d2d026e6e3649…
https://git.kernel.org/stable/c/32ca245464e1479bf…
https://project-zero.issues.chromium.org/issues/4…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: 314001f0bf927015e459c9d387d62a231fe93af3 , < 523edfed4f68b7794d85b9ac828c5f8f4442e4c5 (git) Affected: 314001f0bf927015e459c9d387d62a231fe93af3 , < a12237865b48a73183df252029ff5065d73d305e (git) Affected: 314001f0bf927015e459c9d387d62a231fe93af3 , < fad0a2c16062ac7c606b93166a7ce9d265bab976 (git) Affected: 314001f0bf927015e459c9d387d62a231fe93af3 , < 61a9ad7b69ce688697e5f63332f03e17725353bc (git) Affected: 314001f0bf927015e459c9d387d62a231fe93af3 , < 8db4d2d026e6e3649832bfe23b96c4acff0756db (git) Affected: 314001f0bf927015e459c9d387d62a231fe93af3 , < 32ca245464e1479bfea8592b9db227fdc1641705 (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.194 , ≤ 5.15.* (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.5 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:51.449Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:43.354Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/af_unix.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "523edfed4f68b7794d85b9ac828c5f8f4442e4c5",
              "status": "affected",
              "version": "314001f0bf927015e459c9d387d62a231fe93af3",
              "versionType": "git"
            },
            {
              "lessThan": "a12237865b48a73183df252029ff5065d73d305e",
              "status": "affected",
              "version": "314001f0bf927015e459c9d387d62a231fe93af3",
              "versionType": "git"
            },
            {
              "lessThan": "fad0a2c16062ac7c606b93166a7ce9d265bab976",
              "status": "affected",
              "version": "314001f0bf927015e459c9d387d62a231fe93af3",
              "versionType": "git"
            },
            {
              "lessThan": "61a9ad7b69ce688697e5f63332f03e17725353bc",
              "status": "affected",
              "version": "314001f0bf927015e459c9d387d62a231fe93af3",
              "versionType": "git"
            },
            {
              "lessThan": "8db4d2d026e6e3649832bfe23b96c4acff0756db",
              "status": "affected",
              "version": "314001f0bf927015e459c9d387d62a231fe93af3",
              "versionType": "git"
            },
            {
              "lessThan": "32ca245464e1479bfea8592b9db227fdc1641705",
              "status": "affected",
              "version": "314001f0bf927015e459c9d387d62a231fe93af3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/af_unix.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.194",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.194",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don\u0027t leave consecutive consumed OOB skbs.\n\nJann Horn reported a use-after-free in unix_stream_read_generic().\n\nThe following sequences reproduce the issue:\n\n  $ python3\n  from socket import *\n  s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)\n  s1.send(b\u0027x\u0027, MSG_OOB)\n  s2.recv(1, MSG_OOB)     # leave a consumed OOB skb\n  s1.send(b\u0027y\u0027, MSG_OOB)\n  s2.recv(1, MSG_OOB)     # leave a consumed OOB skb\n  s1.send(b\u0027z\u0027, MSG_OOB)\n  s2.recv(1)              # recv \u0027z\u0027 illegally\n  s2.recv(1, MSG_OOB)     # access \u0027z\u0027 skb (use-after-free)\n\nEven though a user reads OOB data, the skb holding the data stays on\nthe recv queue to mark the OOB boundary and break the next recv().\n\nAfter the last send() in the scenario above, the sk2\u0027s recv queue has\n2 leading consumed OOB skbs and 1 real OOB skb.\n\nThen, the following happens during the next recv() without MSG_OOB\n\n  1. unix_stream_read_generic() peeks the first consumed OOB skb\n  2. manage_oob() returns the next consumed OOB skb\n  3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb\n  4. unix_stream_read_generic() reads and frees the OOB skb\n\n, and the last recv(MSG_OOB) triggers KASAN splat.\n\nThe 3. above occurs because of the SO_PEEK_OFF code, which does not\nexpect unix_skb_len(skb) to be 0, but this is true for such consumed\nOOB skbs.\n\n  while (skip \u003e= unix_skb_len(skb)) {\n    skip -= unix_skb_len(skb);\n    skb = skb_peek_next(skb, \u0026sk-\u003esk_receive_queue);\n    ...\n  }\n\nIn addition to this use-after-free, there is another issue that\nioctl(SIOCATMARK) does not function properly with consecutive consumed\nOOB skbs.\n\nSo, nothing good comes out of such a situation.\n\nInstead of complicating manage_oob(), ioctl() handling, and the next\nECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,\nlet\u0027s not leave such consecutive OOB unnecessarily.\n\nNow, while receiving an OOB skb in unix_stream_recv_urg(), if its\nprevious skb is a consumed OOB skb, it is freed.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)\nRead of size 4 at addr ffff888106ef2904 by task python3/315\n\nCPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:636)\n unix_stream_read_actor (net/unix/af_unix.c:3027)\n unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)\n unix_stream_recvmsg (net/unix/af_unix.c:3048)\n sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))\n __sys_recvfrom (net/socket.c:2278)\n __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f8911fcea06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d\nRAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06\nRDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006\nRBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20\nR13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 315:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:348)\n kmem_cache_alloc_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:52.214Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/523edfed4f68b7794d85b9ac828c5f8f4442e4c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a12237865b48a73183df252029ff5065d73d305e"
        },
        {
          "url": "https://git.kernel.org/stable/c/fad0a2c16062ac7c606b93166a7ce9d265bab976"
        },
        {
          "url": "https://git.kernel.org/stable/c/61a9ad7b69ce688697e5f63332f03e17725353bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8db4d2d026e6e3649832bfe23b96c4acff0756db"
        },
        {
          "url": "https://git.kernel.org/stable/c/32ca245464e1479bfea8592b9db227fdc1641705"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/423023990"
        }
      ],
      "title": "af_unix: Don\u0027t leave consecutive consumed OOB skbs.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38236",
    "datePublished": "2025-07-08T07:35:23.238Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-05-12T12:04:43.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38239 (GCVE-0-2025-38239)

Vulnerability from cvelistv5 – Published: 2025-07-09 10:42 – Updated: 2026-05-11 21:23

Title

scsi: megaraid_sas: Fix invalid node index

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask *[1024]' dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x2b __ubsan_handle_out_of_bounds.cold+0x46/0x4b megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas] megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas] local_pci_probe+0x42/0x90 pci_device_probe+0xdc/0x290 really_probe+0xdb/0x340 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8b/0xe0 bus_add_driver+0x142/0x220 driver_register+0x72/0xd0 megasas_init+0xdf/0xff0 [megaraid_sas] do_one_initcall+0x57/0x310 do_init_module+0x90/0x250 init_module_from_file+0x85/0xc0 idempotent_init_module+0x114/0x310 __x64_sys_finit_module+0x65/0xc0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it accordingly.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/f1064b3532192e987…
https://git.kernel.org/stable/c/bf2c1643abc3b2507…
https://git.kernel.org/stable/c/19a47c966deb36624…
https://git.kernel.org/stable/c/074efb35552556a4b…
https://git.kernel.org/stable/c/752eb816b55adb067…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8049da6f3943d0ac51931b8064b2e4769a69a967 , < f1064b3532192e987ab17be7281d5fee36fd25e1 (git) Affected: 8049da6f3943d0ac51931b8064b2e4769a69a967 , < bf2c1643abc3b2507d56bb6c22bf9897272f8a35 (git) Affected: 8049da6f3943d0ac51931b8064b2e4769a69a967 , < 19a47c966deb36624843b7301f0373a3dc541a05 (git) Affected: 8049da6f3943d0ac51931b8064b2e4769a69a967 , < 074efb35552556a4b3b25eedab076d5dc24a8199 (git) Affected: 8049da6f3943d0ac51931b8064b2e4769a69a967 , < 752eb816b55adb0673727ba0ed96609a17895654 (git)
Linux	Linux	Affected: 5.17 Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.5 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:53.326Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/megaraid/megaraid_sas_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1064b3532192e987ab17be7281d5fee36fd25e1",
              "status": "affected",
              "version": "8049da6f3943d0ac51931b8064b2e4769a69a967",
              "versionType": "git"
            },
            {
              "lessThan": "bf2c1643abc3b2507d56bb6c22bf9897272f8a35",
              "status": "affected",
              "version": "8049da6f3943d0ac51931b8064b2e4769a69a967",
              "versionType": "git"
            },
            {
              "lessThan": "19a47c966deb36624843b7301f0373a3dc541a05",
              "status": "affected",
              "version": "8049da6f3943d0ac51931b8064b2e4769a69a967",
              "versionType": "git"
            },
            {
              "lessThan": "074efb35552556a4b3b25eedab076d5dc24a8199",
              "status": "affected",
              "version": "8049da6f3943d0ac51931b8064b2e4769a69a967",
              "versionType": "git"
            },
            {
              "lessThan": "752eb816b55adb0673727ba0ed96609a17895654",
              "status": "affected",
              "version": "8049da6f3943d0ac51931b8064b2e4769a69a967",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/megaraid/megaraid_sas_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: megaraid_sas: Fix invalid node index\n\nOn a system with DRAM interleave enabled, out-of-bound access is\ndetected:\n\nmegaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28\nindex -1 is out of range for type \u0027cpumask *[1024]\u0027\ndump_stack_lvl+0x5d/0x80\nubsan_epilogue+0x5/0x2b\n__ubsan_handle_out_of_bounds.cold+0x46/0x4b\nmegasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas]\nmegasas_probe_one.cold+0xa4d/0x189c [megaraid_sas]\nlocal_pci_probe+0x42/0x90\npci_device_probe+0xdc/0x290\nreally_probe+0xdb/0x340\n__driver_probe_device+0x78/0x110\ndriver_probe_device+0x1f/0xa0\n__driver_attach+0xba/0x1c0\nbus_for_each_dev+0x8b/0xe0\nbus_add_driver+0x142/0x220\ndriver_register+0x72/0xd0\nmegasas_init+0xdf/0xff0 [megaraid_sas]\ndo_one_initcall+0x57/0x310\ndo_init_module+0x90/0x250\ninit_module_from_file+0x85/0xc0\nidempotent_init_module+0x114/0x310\n__x64_sys_finit_module+0x65/0xc0\ndo_syscall_64+0x82/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it accordingly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:23:55.652Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1064b3532192e987ab17be7281d5fee36fd25e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf2c1643abc3b2507d56bb6c22bf9897272f8a35"
        },
        {
          "url": "https://git.kernel.org/stable/c/19a47c966deb36624843b7301f0373a3dc541a05"
        },
        {
          "url": "https://git.kernel.org/stable/c/074efb35552556a4b3b25eedab076d5dc24a8199"
        },
        {
          "url": "https://git.kernel.org/stable/c/752eb816b55adb0673727ba0ed96609a17895654"
        }
      ],
      "title": "scsi: megaraid_sas: Fix invalid node index",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38239",
    "datePublished": "2025-07-09T10:42:24.170Z",
    "dateReserved": "2025-04-16T04:51:23.996Z",
    "dateUpdated": "2026-05-11T21:23:55.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38245 (GCVE-0-2025-38245)

Vulnerability from cvelistv5 – Published: 2025-07-09 10:42 – Updated: 2026-05-11 21:24

Title

atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().

Summary

In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b </TASK>

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/2a8dcee649d12f697…
https://git.kernel.org/stable/c/4bb1bb438134d9ee6…
https://git.kernel.org/stable/c/26248d5d68c865b88…
https://git.kernel.org/stable/c/b2e40fcfe1575faaa…
https://git.kernel.org/stable/c/cabed6ba92a9a8c09…
https://git.kernel.org/stable/c/ae539d963a17443ec…
https://git.kernel.org/stable/c/6922f1a048c090f10…
https://git.kernel.org/stable/c/a433791aeaea6e84d…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < 2a8dcee649d12f69713f2589171a1caf6d4fa439 (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < 4bb1bb438134d9ee6b97cc07289dd7c569092eec (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < 26248d5d68c865b888d632162abbf8130645622c (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < b2e40fcfe1575faaa548f87614006d3fe44c779e (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < cabed6ba92a9a8c09da02a3f20e32ecd80989896 (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < ae539d963a17443ec54cba8a767e4ffa318264f4 (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < 6922f1a048c090f10704bbef4a3a1e81932d2e0a (git) Affected: 64bf69ddff7637b7ed7acf9b2a823cc0ee519439 , < a433791aeaea6e84df709e0b9584b9bbe040cd1c (git)
Linux	Linux	Affected: 2.6.15 Unaffected: 0 , < 2.6.15 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.5 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:55.198Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/resources.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2a8dcee649d12f69713f2589171a1caf6d4fa439",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "4bb1bb438134d9ee6b97cc07289dd7c569092eec",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "26248d5d68c865b888d632162abbf8130645622c",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "b2e40fcfe1575faaa548f87614006d3fe44c779e",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "cabed6ba92a9a8c09da02a3f20e32ecd80989896",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "ae539d963a17443ec54cba8a767e4ffa318264f4",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "6922f1a048c090f10704bbef4a3a1e81932d2e0a",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            },
            {
              "lessThan": "a433791aeaea6e84df709e0b9584b9bbe040cd1c",
              "status": "affected",
              "version": "64bf69ddff7637b7ed7acf9b2a823cc0ee519439",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/resources.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.15"
            },
            {
              "lessThan": "2.6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().\n\nsyzbot reported a warning below during atm_dev_register(). [0]\n\nBefore creating a new device and procfs/sysfs for it, atm_dev_register()\nlooks up a duplicated device by __atm_dev_lookup().  These operations are\ndone under atm_dev_mutex.\n\nHowever, when removing a device in atm_dev_deregister(), it releases the\nmutex just after removing the device from the list that __atm_dev_lookup()\niterates over.\n\nSo, there will be a small race window where the device does not exist on\nthe device list but procfs/sysfs are still not removed, triggering the\nsplat.\n\nLet\u0027s hold the mutex until procfs/sysfs are removed in\natm_dev_deregister().\n\n[0]:\nproc_dir_entry \u0027atm/atmtcp:0\u0027 already registered\nWARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377\nModules linked in:\nCPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nRIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377\nCode: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 \u003c0f\u003e 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48\nRSP: 0018:ffffc9000466fa30 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248\nRDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001\nRBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140\nR13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444\nFS:  00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n proc_create_data+0xbe/0x110 fs/proc/generic.c:585\n atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361\n atm_dev_register+0x46d/0x890 net/atm/resources.c:113\n atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369\n atmtcp_attach drivers/atm/atmtcp.c:403 [inline]\n atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464\n do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n sock_do_ioctl+0x115/0x280 net/socket.c:1190\n sock_ioctl+0x227/0x6b0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl fs/ioctl.c:893 [inline]\n __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f38b3b74459\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459\nRDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005\nRBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac\nR13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:24:03.878Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2a8dcee649d12f69713f2589171a1caf6d4fa439"
        },
        {
          "url": "https://git.kernel.org/stable/c/4bb1bb438134d9ee6b97cc07289dd7c569092eec"
        },
        {
          "url": "https://git.kernel.org/stable/c/26248d5d68c865b888d632162abbf8130645622c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2e40fcfe1575faaa548f87614006d3fe44c779e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cabed6ba92a9a8c09da02a3f20e32ecd80989896"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae539d963a17443ec54cba8a767e4ffa318264f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/6922f1a048c090f10704bbef4a3a1e81932d2e0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a433791aeaea6e84df709e0b9584b9bbe040cd1c"
        }
      ],
      "title": "atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38245",
    "datePublished": "2025-07-09T10:42:27.263Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2026-05-11T21:24:03.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38249 (GCVE-0-2025-38249)

Vulnerability from cvelistv5 – Published: 2025-07-09 10:42 – Updated: 2026-05-11 21:24

Title

ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/24ff7d465c4284529…
https://git.kernel.org/stable/c/2dc1c3edf67abd30c…
https://git.kernel.org/stable/c/c3fb926abe90d86f5…
https://git.kernel.org/stable/c/6eb211788e1370af5…
https://git.kernel.org/stable/c/74fcb3852a2f57915…
https://git.kernel.org/stable/c/0ee87c2814deb5e42…
https://git.kernel.org/stable/c/11e740dc1a2c8590e…
https://git.kernel.org/stable/c/fb4e2a6e8f28a3c0a…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 24ff7d465c4284529bbfa207757bffb6f44b6403 (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 2dc1c3edf67abd30c757f8054a5da61927cdda21 (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < c3fb926abe90d86f5e3055e0035f04d9892a118b (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 6eb211788e1370af52a245d4d7da35c374c7b401 (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 74fcb3852a2f579151ce80b9ed96cd916ba0d5d8 (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 0ee87c2814deb5e42921281116ac3abcb326880b (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < 11e740dc1a2c8590eb7074b5c4ab921bb6224c36 (git) Affected: 9a2fe9b801f585baccf8352d82839dcd54b300cf , < fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a (git)
Linux	Linux	Affected: 4.17 Unaffected: 0 , < 4.17 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.5 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:57.073Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "24ff7d465c4284529bbfa207757bffb6f44b6403",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "2dc1c3edf67abd30c757f8054a5da61927cdda21",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "c3fb926abe90d86f5e3055e0035f04d9892a118b",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "6eb211788e1370af52a245d4d7da35c374c7b401",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "74fcb3852a2f579151ce80b9ed96cd916ba0d5d8",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "0ee87c2814deb5e42921281116ac3abcb326880b",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "11e740dc1a2c8590eb7074b5c4ab921bb6224c36",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            },
            {
              "lessThan": "fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a",
              "status": "affected",
              "version": "9a2fe9b801f585baccf8352d82839dcd54b300cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()\n\nIn snd_usb_get_audioformat_uac3(), the length value returned from\nsnd_usb_ctl_msg() is used directly for memory allocation without\nvalidation. This length is controlled by the USB device.\n\nThe allocated buffer is cast to a uac3_cluster_header_descriptor\nand its fields are accessed without verifying that the buffer\nis large enough. If the device returns a smaller than expected\nlength, this leads to an out-of-bounds read.\n\nAdd a length check to ensure the buffer is large enough for\nuac3_cluster_header_descriptor."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:24:08.873Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/24ff7d465c4284529bbfa207757bffb6f44b6403"
        },
        {
          "url": "https://git.kernel.org/stable/c/2dc1c3edf67abd30c757f8054a5da61927cdda21"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3fb926abe90d86f5e3055e0035f04d9892a118b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6eb211788e1370af52a245d4d7da35c374c7b401"
        },
        {
          "url": "https://git.kernel.org/stable/c/74fcb3852a2f579151ce80b9ed96cd916ba0d5d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ee87c2814deb5e42921281116ac3abcb326880b"
        },
        {
          "url": "https://git.kernel.org/stable/c/11e740dc1a2c8590eb7074b5c4ab921bb6224c36"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb4e2a6e8f28a3c0ad382e363aeb9cd822007b8a"
        }
      ],
      "title": "ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38249",
    "datePublished": "2025-07-09T10:42:29.704Z",
    "dateReserved": "2025-04-16T04:51:23.997Z",
    "dateUpdated": "2026-05-11T21:24:08.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0698

Solutions

CVE-2025-38225 (GCVE-0-2025-38225)

CVE-2025-38226 (GCVE-0-2025-38226)

CVE-2025-38227 (GCVE-0-2025-38227)

CVE-2025-38229 (GCVE-0-2025-38229)

CVE-2025-38230 (GCVE-0-2025-38230)

CVE-2025-38231 (GCVE-0-2025-38231)

CVE-2025-38236 (GCVE-0-2025-38236)

CVE-2025-38239 (GCVE-0-2025-38239)

CVE-2025-38245 (GCVE-0-2025-38245)

CVE-2025-38249 (GCVE-0-2025-38249)

Tags

Sightings

Nomenclature