Vulnerability-Lookup

CERTFR-2025-AVI-0698

Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian bookworm versions antérieures à 6.1.147-1
	Debian	Debian	Debian trixie versions antérieures à 6.12.41-1

References

Title

Publication Time

CVE-2025-38313 (GCVE-0-2025-38313)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2026-05-11 21:25

Title

bus: fsl-mc: fix double-free on mc_dev

Summary

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus);

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/12e4431e507884779…
https://git.kernel.org/stable/c/3135e03a92f6b5259…
https://git.kernel.org/stable/c/7002b954c4a8b9965…
https://git.kernel.org/stable/c/b2057374f326303c8…
https://git.kernel.org/stable/c/4b23c46eb2d88924b…
https://git.kernel.org/stable/c/1d5baab39e5b09a76…
https://git.kernel.org/stable/c/873d47114fd5e5a1c…
https://git.kernel.org/stable/c/d694bf8a9acdbd061…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < 12e4431e5078847791936820bd39df9e1ee26d2e (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < 3135e03a92f6b5259d0a7f25f728e9e7866ede3f (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < 7002b954c4a8b9965ba0f139812ee4a6f71beac8 (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < b2057374f326303c86d8423415ab58656eebc695 (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < 4b23c46eb2d88924b93aca647bde9a4b9cf62cf9 (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < 1d5baab39e5b09a76870b345cdee7933871b881f (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < 873d47114fd5e5a1cad2018843671537cc71ac84 (git) Affected: a042fbed02904493ae6df26ec836045f5a7d3ce2 , < d694bf8a9acdbd061596f3e7549bc8cb70750a60 (git)
Linux	Linux	Affected: 4.13 Unaffected: 0 , < 4.13 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:27.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/fsl-mc/fsl-mc-bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "12e4431e5078847791936820bd39df9e1ee26d2e",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "3135e03a92f6b5259d0a7f25f728e9e7866ede3f",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "7002b954c4a8b9965ba0f139812ee4a6f71beac8",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "b2057374f326303c86d8423415ab58656eebc695",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "4b23c46eb2d88924b93aca647bde9a4b9cf62cf9",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "1d5baab39e5b09a76870b345cdee7933871b881f",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "873d47114fd5e5a1cad2018843671537cc71ac84",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            },
            {
              "lessThan": "d694bf8a9acdbd061596f3e7549bc8cb70750a60",
              "status": "affected",
              "version": "a042fbed02904493ae6df26ec836045f5a7d3ce2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/fsl-mc/fsl-mc-bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix double-free on mc_dev\n\nThe blamed commit tried to simplify how the deallocations are done but,\nin the process, introduced a double-free on the mc_dev variable.\n\nIn case the MC device is a DPRC, a new mc_bus is allocated and the\nmc_dev variable is just a reference to one of its fields. In this\ncircumstance, on the error path only the mc_bus should be freed.\n\nThis commit introduces back the following checkpatch warning which is a\nfalse-positive.\n\nWARNING: kfree(NULL) is safe and this check is probably not required\n+       if (mc_bus)\n+               kfree(mc_bus);"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:33.799Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/12e4431e5078847791936820bd39df9e1ee26d2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3135e03a92f6b5259d0a7f25f728e9e7866ede3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7002b954c4a8b9965ba0f139812ee4a6f71beac8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2057374f326303c86d8423415ab58656eebc695"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b23c46eb2d88924b93aca647bde9a4b9cf62cf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d5baab39e5b09a76870b345cdee7933871b881f"
        },
        {
          "url": "https://git.kernel.org/stable/c/873d47114fd5e5a1cad2018843671537cc71ac84"
        },
        {
          "url": "https://git.kernel.org/stable/c/d694bf8a9acdbd061596f3e7549bc8cb70750a60"
        }
      ],
      "title": "bus: fsl-mc: fix double-free on mc_dev",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38313",
    "datePublished": "2025-07-10T07:42:21.314Z",
    "dateReserved": "2025-04-16T04:51:24.003Z",
    "dateUpdated": "2026-05-11T21:25:33.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38319 (GCVE-0-2025-38319)

Vulnerability from cvelistv5 – Published: 2025-07-10 07:42 – Updated: 2026-05-11 21:25

Title

drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/85cdcb834fb490731…
https://git.kernel.org/stable/c/7080c20a913984203…
https://git.kernel.org/stable/c/cdf7e1ff99ab06ef1…
https://git.kernel.org/stable/c/64f3acc8c7e680963…
https://git.kernel.org/stable/c/a4ff7391c8b75b154…
https://git.kernel.org/stable/c/820116a39f96bdc7d…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b3892e2bb519fe18225d0628f0dd255761f16502 , < 85cdcb834fb490731ff2d123f87ca799c57dacf2 (git) Affected: b3892e2bb519fe18225d0628f0dd255761f16502 , < 7080c20a9139842033ed4af604dc1fa4028593ad (git) Affected: b3892e2bb519fe18225d0628f0dd255761f16502 , < cdf7e1ff99ab06ef15d0b5d1aca5258a4fb62b85 (git) Affected: b3892e2bb519fe18225d0628f0dd255761f16502 , < 64f3acc8c7e6809631457b75638601b36dea3129 (git) Affected: b3892e2bb519fe18225d0628f0dd255761f16502 , < a4ff7391c8b75b1541900bd9d0c238e558c11fb3 (git) Affected: b3892e2bb519fe18225d0628f0dd255761f16502 , < 820116a39f96bdc7d426c33a804b52f53700a919 (git)
Linux	Linux	Affected: 4.18 Unaffected: 0 , < 4.18 (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:28.555Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "85cdcb834fb490731ff2d123f87ca799c57dacf2",
              "status": "affected",
              "version": "b3892e2bb519fe18225d0628f0dd255761f16502",
              "versionType": "git"
            },
            {
              "lessThan": "7080c20a9139842033ed4af604dc1fa4028593ad",
              "status": "affected",
              "version": "b3892e2bb519fe18225d0628f0dd255761f16502",
              "versionType": "git"
            },
            {
              "lessThan": "cdf7e1ff99ab06ef15d0b5d1aca5258a4fb62b85",
              "status": "affected",
              "version": "b3892e2bb519fe18225d0628f0dd255761f16502",
              "versionType": "git"
            },
            {
              "lessThan": "64f3acc8c7e6809631457b75638601b36dea3129",
              "status": "affected",
              "version": "b3892e2bb519fe18225d0628f0dd255761f16502",
              "versionType": "git"
            },
            {
              "lessThan": "a4ff7391c8b75b1541900bd9d0c238e558c11fb3",
              "status": "affected",
              "version": "b3892e2bb519fe18225d0628f0dd255761f16502",
              "versionType": "git"
            },
            {
              "lessThan": "820116a39f96bdc7d426c33a804b52f53700a919",
              "status": "affected",
              "version": "b3892e2bb519fe18225d0628f0dd255761f16502",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table\n\nThe function atomctrl_initialize_mc_reg_table() and\natomctrl_initialize_mc_reg_table_v2_2() does not check the return\nvalue of smu_atom_get_data_table(). If smu_atom_get_data_table()\nfails to retrieve vram_info, it returns NULL which is later\ndereferenced."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:41.042Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/85cdcb834fb490731ff2d123f87ca799c57dacf2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7080c20a9139842033ed4af604dc1fa4028593ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdf7e1ff99ab06ef15d0b5d1aca5258a4fb62b85"
        },
        {
          "url": "https://git.kernel.org/stable/c/64f3acc8c7e6809631457b75638601b36dea3129"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4ff7391c8b75b1541900bd9d0c238e558c11fb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/820116a39f96bdc7d426c33a804b52f53700a919"
        }
      ],
      "title": "drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38319",
    "datePublished": "2025-07-10T07:42:25.111Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2026-05-11T21:25:41.042Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38320 (GCVE-0-2025-38320)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:14 – Updated: 2026-05-11 21:25

Title

arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). Call Trace: [ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550 [ 97.285732] [ 97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11 [ 97.287032] Hardware name: linux,dummy-virt (DT) [ 97.287815] Call trace: [ 97.288279] dump_backtrace+0xa0/0x128 [ 97.288946] show_stack+0x20/0x38 [ 97.289551] dump_stack_lvl+0x78/0xc8 [ 97.290203] print_address_description.constprop.0+0x84/0x3c8 [ 97.291159] print_report+0xb0/0x280 [ 97.291792] kasan_report+0x84/0xd0 [ 97.292421] __asan_load8+0x9c/0xc0 [ 97.293042] regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.293835] process_fetch_insn+0x770/0xa30 [ 97.294562] kprobe_trace_func+0x254/0x3b0 [ 97.295271] kprobe_dispatcher+0x98/0xe0 [ 97.295955] kprobe_breakpoint_handler+0x1b0/0x210 [ 97.296774] call_break_hook+0xc4/0x100 [ 97.297451] brk_handler+0x24/0x78 [ 97.298073] do_debug_exception+0xac/0x178 [ 97.298785] el1_dbg+0x70/0x90 [ 97.299344] el1h_64_sync_handler+0xcc/0xe8 [ 97.300066] el1h_64_sync+0x78/0x80 [ 97.300699] kernel_clone+0x0/0x500 [ 97.301331] __arm64_sys_clone+0x70/0x90 [ 97.302084] invoke_syscall+0x68/0x198 [ 97.302746] el0_svc_common.constprop.0+0x11c/0x150 [ 97.303569] do_el0_svc+0x38/0x50 [ 97.304164] el0_svc+0x44/0x1d8 [ 97.304749] el0t_64_sync_handler+0x100/0x130 [ 97.305500] el0t_64_sync+0x188/0x190 [ 97.306151] [ 97.306475] The buggy address belongs to stack of task 1.sh/2550 [ 97.307461] and is located at offset 0 in frame: [ 97.308257] __se_sys_clone+0x0/0x138 [ 97.308910] [ 97.309241] This frame has 1 object: [ 97.309873] [48, 184) 'args' [ 97.309876] [ 97.310749] The buggy address belongs to the virtual mapping at [ 97.310749] [ffff800089270000, ffff800089279000) created by: [ 97.310749] dup_task_struct+0xc0/0x2e8 [ 97.313347] [ 97.313674] The buggy address belongs to the physical page: [ 97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a [ 97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff) [ 97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000 [ 97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 97.319445] page dumped because: kasan: bad access detected [ 97.320371] [ 97.320694] Memory state around the buggy address: [ 97.321511] ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.322681] ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 [ 97.325023] ^ [ 97.325683] ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 [ 97.326856] ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 This issue seems to be related to the behavior of some gcc compilers and was also fixed on the s390 architecture before: commit d93a855c31b7 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()") As described in that commit, regs_get_kernel_stack_nth() has confirmed that `addr` is on the stack, so reading the value at `*addr` should be allowed. Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case. [will: Use '*addr' as the argument to READ_ONCE_NOCHECK()]

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/64773b3ea09235168…
https://git.kernel.org/stable/c/67abac27d806e8f9d…
https://git.kernel.org/stable/c/92750bfe7b0d8dbca…
https://git.kernel.org/stable/c/01f91d415a8375d85…
https://git.kernel.org/stable/c/21da6d3561f373898…
https://git.kernel.org/stable/c/22f935bc86bdfbde0…
https://git.kernel.org/stable/c/422e565b7889ebfd9…
https://git.kernel.org/stable/c/39dfc971e42d886e7…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 64773b3ea09235168a549a195cba43bb867c4a17 (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 67abac27d806e8f9d4226ec1528540cf73af673a (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38 (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 01f91d415a8375d85e0c7d3615cd4a168308bb7c (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 21da6d3561f373898349ca7167c9811c020da695 (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 22f935bc86bdfbde04009f05eee191d220cd8c89 (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 422e565b7889ebfd9c8705a3fc786642afe61fca (git) Affected: 0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7 , < 39dfc971e42d886e7df01371cd1bef505076d84c (git)
Linux	Linux	Affected: 4.8 Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:30.512Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64773b3ea09235168a549a195cba43bb867c4a17",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "67abac27d806e8f9d4226ec1528540cf73af673a",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "01f91d415a8375d85e0c7d3615cd4a168308bb7c",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "21da6d3561f373898349ca7167c9811c020da695",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "22f935bc86bdfbde04009f05eee191d220cd8c89",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "422e565b7889ebfd9c8705a3fc786642afe61fca",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            },
            {
              "lessThan": "39dfc971e42d886e7df01371cd1bef505076d84c",
              "status": "affected",
              "version": "0a8ea52c3eb157dd65e224fc95b7c9c99fcba9f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()\n\nKASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth().\n\nCall Trace:\n[   97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8\n[   97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550\n[   97.285732]\n[   97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11\n[   97.287032] Hardware name: linux,dummy-virt (DT)\n[   97.287815] Call trace:\n[   97.288279]  dump_backtrace+0xa0/0x128\n[   97.288946]  show_stack+0x20/0x38\n[   97.289551]  dump_stack_lvl+0x78/0xc8\n[   97.290203]  print_address_description.constprop.0+0x84/0x3c8\n[   97.291159]  print_report+0xb0/0x280\n[   97.291792]  kasan_report+0x84/0xd0\n[   97.292421]  __asan_load8+0x9c/0xc0\n[   97.293042]  regs_get_kernel_stack_nth+0xa8/0xc8\n[   97.293835]  process_fetch_insn+0x770/0xa30\n[   97.294562]  kprobe_trace_func+0x254/0x3b0\n[   97.295271]  kprobe_dispatcher+0x98/0xe0\n[   97.295955]  kprobe_breakpoint_handler+0x1b0/0x210\n[   97.296774]  call_break_hook+0xc4/0x100\n[   97.297451]  brk_handler+0x24/0x78\n[   97.298073]  do_debug_exception+0xac/0x178\n[   97.298785]  el1_dbg+0x70/0x90\n[   97.299344]  el1h_64_sync_handler+0xcc/0xe8\n[   97.300066]  el1h_64_sync+0x78/0x80\n[   97.300699]  kernel_clone+0x0/0x500\n[   97.301331]  __arm64_sys_clone+0x70/0x90\n[   97.302084]  invoke_syscall+0x68/0x198\n[   97.302746]  el0_svc_common.constprop.0+0x11c/0x150\n[   97.303569]  do_el0_svc+0x38/0x50\n[   97.304164]  el0_svc+0x44/0x1d8\n[   97.304749]  el0t_64_sync_handler+0x100/0x130\n[   97.305500]  el0t_64_sync+0x188/0x190\n[   97.306151]\n[   97.306475] The buggy address belongs to stack of task 1.sh/2550\n[   97.307461]  and is located at offset 0 in frame:\n[   97.308257]  __se_sys_clone+0x0/0x138\n[   97.308910]\n[   97.309241] This frame has 1 object:\n[   97.309873]  [48, 184) \u0027args\u0027\n[   97.309876]\n[   97.310749] The buggy address belongs to the virtual mapping at\n[   97.310749]  [ffff800089270000, ffff800089279000) created by:\n[   97.310749]  dup_task_struct+0xc0/0x2e8\n[   97.313347]\n[   97.313674] The buggy address belongs to the physical page:\n[   97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a\n[   97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff)\n[   97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000\n[   97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[   97.319445] page dumped because: kasan: bad access detected\n[   97.320371]\n[   97.320694] Memory state around the buggy address:\n[   97.321511]  ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   97.322681]  ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   97.323846] \u003effff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00\n[   97.325023]                          ^\n[   97.325683]  ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3\n[   97.326856]  ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\nThis issue seems to be related to the behavior of some gcc compilers and\nwas also fixed on the s390 architecture before:\n\n commit d93a855c31b7 (\"s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()\")\n\nAs described in that commit, regs_get_kernel_stack_nth() has confirmed that\n`addr` is on the stack, so reading the value at `*addr` should be allowed.\nUse READ_ONCE_NOCHECK() helper to silence the KASAN check for this case.\n\n[will: Use \u0027*addr\u0027 as the argument to READ_ONCE_NOCHECK()]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:42.232Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64773b3ea09235168a549a195cba43bb867c4a17"
        },
        {
          "url": "https://git.kernel.org/stable/c/67abac27d806e8f9d4226ec1528540cf73af673a"
        },
        {
          "url": "https://git.kernel.org/stable/c/92750bfe7b0d8dbcaf578c091a65eda1c5f9ad38"
        },
        {
          "url": "https://git.kernel.org/stable/c/01f91d415a8375d85e0c7d3615cd4a168308bb7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/21da6d3561f373898349ca7167c9811c020da695"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f935bc86bdfbde04009f05eee191d220cd8c89"
        },
        {
          "url": "https://git.kernel.org/stable/c/422e565b7889ebfd9c8705a3fc786642afe61fca"
        },
        {
          "url": "https://git.kernel.org/stable/c/39dfc971e42d886e7df01371cd1bef505076d84c"
        }
      ],
      "title": "arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38320",
    "datePublished": "2025-07-10T08:14:56.398Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2026-05-11T21:25:42.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38323 (GCVE-0-2025-38323)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:14 – Updated: 2026-05-11 21:25

Title

net: atm: add lec_mutex

Summary

In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[]. Add a mutex to protect dev_lecp[] uses from lecd_attach(), lec_vcc_attach() and lec_mcast_attach(). Following patch will use this mutex for /proc/net/atm/lec. BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline] BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142 CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xcd/0x680 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 lecd_attach net/atm/lec.c:751 [inline] lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015 alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711 lecd_attach net/atm/lec.c:737 [inline] lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 free_netdev+0x6c5/0x910 net/core/dev.c:11892 lecd_attach net/atm/lec.c:744 [inline] lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/e91274cc7ed88ab5b…
https://git.kernel.org/stable/c/a7a713dfb5f947734…
https://git.kernel.org/stable/c/17e156a94e94a906a…
https://git.kernel.org/stable/c/18e8f0c4f826fb08c…
https://git.kernel.org/stable/c/dffd03422ae6a4590…
https://git.kernel.org/stable/c/f4d80b16ecc4229f7…
https://git.kernel.org/stable/c/64b378db28a967f7b…
https://git.kernel.org/stable/c/d13a3824bfd2b4774…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e91274cc7ed88ab5bdc62d426067c82b0b118a0b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a7a713dfb5f9477345450f27c7c0741864511192 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17e156a94e94a906a570dbf9b48877956c60bef8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dffd03422ae6a459039c8602f410e6c0f4cbc6c8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f4d80b16ecc4229f7e6345158ef34c36be323f0e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 64b378db28a967f7b271b055380c2360279aa424 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d13a3824bfd2b4774b671a75cf766a16637a0e67 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:33.359Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/atm/lec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e91274cc7ed88ab5bdc62d426067c82b0b118a0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a7a713dfb5f9477345450f27c7c0741864511192",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "17e156a94e94a906a570dbf9b48877956c60bef8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dffd03422ae6a459039c8602f410e6c0f4cbc6c8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f4d80b16ecc4229f7e6345158ef34c36be323f0e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "64b378db28a967f7b271b055380c2360279aa424",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d13a3824bfd2b4774b671a75cf766a16637a0e67",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/atm/lec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atm: add lec_mutex\n\nsyzbot found its way in net/atm/lec.c, and found an error path\nin lecd_attach() could leave a dangling pointer in dev_lec[].\n\nAdd a mutex to protect dev_lecp[] uses from lecd_attach(),\nlec_vcc_attach() and lec_mcast_attach().\n\nFollowing patch will use this mutex for /proc/net/atm/lec.\n\nBUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline]\nBUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\nRead of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142\n\nCPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:408 [inline]\n  print_report+0xcd/0x680 mm/kasan/report.c:521\n  kasan_report+0xe0/0x110 mm/kasan/report.c:634\n  lecd_attach net/atm/lec.c:751 [inline]\n  lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nAllocated by task 6132:\n  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n  __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394\n  kasan_kmalloc include/linux/kasan.h:260 [inline]\n  __do_kmalloc_node mm/slub.c:4328 [inline]\n  __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015\n  alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711\n  lecd_attach net/atm/lec.c:737 [inline]\n  lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893\n  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n  do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 6132:\n  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n  kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n  kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576\n  poison_slab_object mm/kasan/common.c:247 [inline]\n  __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264\n  kasan_slab_free include/linux/kasan.h:233 [inline]\n  slab_free_hook mm/slub.c:2381 [inline]\n  slab_free mm/slub.c:4643 [inline]\n  kfree+0x2b4/0x4d0 mm/slub.c:4842\n  free_netdev+0x6c5/0x910 net/core/dev.c:11892\n  lecd_attach net/atm/lec.c:744 [inline]\n  lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008\n  do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159\n  sock_do_ioctl+0x118/0x280 net/socket.c:1190\n  sock_ioctl+0x227/0x6b0 net/socket.c:1311\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:45.739Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e91274cc7ed88ab5bdc62d426067c82b0b118a0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7a713dfb5f9477345450f27c7c0741864511192"
        },
        {
          "url": "https://git.kernel.org/stable/c/17e156a94e94a906a570dbf9b48877956c60bef8"
        },
        {
          "url": "https://git.kernel.org/stable/c/18e8f0c4f826fb08c2d3825cdd6c57e24b207e0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dffd03422ae6a459039c8602f410e6c0f4cbc6c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4d80b16ecc4229f7e6345158ef34c36be323f0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/64b378db28a967f7b271b055380c2360279aa424"
        },
        {
          "url": "https://git.kernel.org/stable/c/d13a3824bfd2b4774b671a75cf766a16637a0e67"
        }
      ],
      "title": "net: atm: add lec_mutex",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38323",
    "datePublished": "2025-07-10T08:14:58.212Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2026-05-11T21:25:45.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38324 (GCVE-0-2025-38324)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:14 – Updated: 2026-05-11 21:25

Title

mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().

Summary

In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence the splat. [0]: WARNING: suspicious RCU usage 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted ---------------------------- net/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.2.4451/17730: #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961 stack backtrace: CPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865 mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84 mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381 rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964 netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmmsg+0x200/0x420 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a2818e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969 RDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268 </TASK>

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/2919297b18e5a5fb7…
https://git.kernel.org/stable/c/36af82f25fbdcd719…
https://git.kernel.org/stable/c/d8cd847fb86268726…
https://git.kernel.org/stable/c/49b8a9d7d44401a18…
https://git.kernel.org/stable/c/a060781640012d5d5…
https://git.kernel.org/stable/c/517bc6836ee9fcffe…
https://git.kernel.org/stable/c/f19cbd84e645e39bc…
https://git.kernel.org/stable/c/6dbb0d97c5096072c…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 0189197f441602acdca3f97750d392a895b778fd , < 2919297b18e5a5fb7e643f9e32c12c0b17cce1be (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < 36af82f25fbdcd719eb947c15ea874bf80bcf229 (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < d8cd847fb8626872631cc22d44be5127b4ebfb74 (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < 49b8a9d7d44401a186e20b1aaf591d2e62727aeb (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < a060781640012d5d5105072f4c44ed6ad6830ef9 (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < 517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73 (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < f19cbd84e645e39bc3228e1191bb151ef0ffac8c (git) Affected: 0189197f441602acdca3f97750d392a895b778fd , < 6dbb0d97c5096072c78a6abffe393584e57ae945 (git)
Linux	Linux	Affected: 4.1 Unaffected: 0 , < 4.1 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:35.272Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mpls/af_mpls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2919297b18e5a5fb7e643f9e32c12c0b17cce1be",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "36af82f25fbdcd719eb947c15ea874bf80bcf229",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "d8cd847fb8626872631cc22d44be5127b4ebfb74",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "49b8a9d7d44401a186e20b1aaf591d2e62727aeb",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "a060781640012d5d5105072f4c44ed6ad6830ef9",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "f19cbd84e645e39bc3228e1191bb151ef0ffac8c",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            },
            {
              "lessThan": "6dbb0d97c5096072c78a6abffe393584e57ae945",
              "status": "affected",
              "version": "0189197f441602acdca3f97750d392a895b778fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mpls/af_mpls.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.1"
            },
            {
              "lessThan": "4.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().\n\nAs syzbot reported [0], mpls_route_input_rcu() can be called\nfrom mpls_getroute(), where is under RTNL.\n\nnet-\u003empls.platform_label is only updated under RTNL.\n\nLet\u0027s use rcu_dereference_rtnl() in mpls_route_input_rcu() to\nsilence the splat.\n\n[0]:\nWARNING: suspicious RCU usage\n6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted\n ----------------------------\nnet/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n1 lock held by syz.2.4451/17730:\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]\n #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865\n mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84\n mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381\n rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964\n netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmmsg+0x200/0x420 net/socket.c:2709\n __do_sys_sendmmsg net/socket.c:2736 [inline]\n __se_sys_sendmmsg net/socket.c:2733 [inline]\n __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0a2818e969\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969\nRDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003\nRBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:46.897Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2919297b18e5a5fb7e643f9e32c12c0b17cce1be"
        },
        {
          "url": "https://git.kernel.org/stable/c/36af82f25fbdcd719eb947c15ea874bf80bcf229"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8cd847fb8626872631cc22d44be5127b4ebfb74"
        },
        {
          "url": "https://git.kernel.org/stable/c/49b8a9d7d44401a186e20b1aaf591d2e62727aeb"
        },
        {
          "url": "https://git.kernel.org/stable/c/a060781640012d5d5105072f4c44ed6ad6830ef9"
        },
        {
          "url": "https://git.kernel.org/stable/c/517bc6836ee9fcffe2539f6f6aa3fdd9c7a7ae73"
        },
        {
          "url": "https://git.kernel.org/stable/c/f19cbd84e645e39bc3228e1191bb151ef0ffac8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dbb0d97c5096072c78a6abffe393584e57ae945"
        }
      ],
      "title": "mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38324",
    "datePublished": "2025-07-10T08:14:58.857Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2026-05-11T21:25:46.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38326 (GCVE-0-2025-38326)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:25

Title

aoe: clean device rq_list in aoedev_downdev()

Summary

In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which caused blk_mq_freeze_queue() to sleep indefinitely waiting for those requests to complete, causing a hang. This fix cleans out the queue before calling blk_mq_freeze_queue().

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/ed52e9652ba41d362…
https://git.kernel.org/stable/c/64fc0bad62ed38874…
https://git.kernel.org/stable/c/ef0b5bbbed7f220db…
https://git.kernel.org/stable/c/531aef4a1accb13b2…
https://git.kernel.org/stable/c/8662ac79a63488e27…
https://git.kernel.org/stable/c/fa2a79f0da92614c5…
https://git.kernel.org/stable/c/00be74e1470af292c…
https://git.kernel.org/stable/c/7f90d45e57cb2ef1f…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < ed52e9652ba41d362e9ec923077f6da23336f269 (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 64fc0bad62ed38874131dd0337d844a43bd1017e (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 531aef4a1accb13b21a3b82ec29955f4733367d5 (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 8662ac79a63488e279b91c12a72b02bc0dc49f7b (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < fa2a79f0da92614c5dc45c8b3d2638681c7734ee (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 00be74e1470af292c37a438b8e69dee47dcbf481 (git) Affected: 3582dd291788e9441c3ba9047e55089edb98da5c , < 7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca (git)
Linux	Linux	Affected: 4.20 Unaffected: 0 , < 4.20 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:37.143Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/aoe/aoedev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed52e9652ba41d362e9ec923077f6da23336f269",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "64fc0bad62ed38874131dd0337d844a43bd1017e",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "531aef4a1accb13b21a3b82ec29955f4733367d5",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "8662ac79a63488e279b91c12a72b02bc0dc49f7b",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "fa2a79f0da92614c5dc45c8b3d2638681c7734ee",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "00be74e1470af292c37a438b8e69dee47dcbf481",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            },
            {
              "lessThan": "7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca",
              "status": "affected",
              "version": "3582dd291788e9441c3ba9047e55089edb98da5c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/aoe/aoedev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: clean device rq_list in aoedev_downdev()\n\nAn aoe device\u0027s rq_list contains accepted block requests that are\nwaiting to be transmitted to the aoe target. This queue was added as\npart of the conversion to blk_mq. However, the queue was not cleaned out\nwhen an aoe device is downed which caused blk_mq_freeze_queue() to sleep\nindefinitely waiting for those requests to complete, causing a hang. This\nfix cleans out the queue before calling blk_mq_freeze_queue()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:49.354Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed52e9652ba41d362e9ec923077f6da23336f269"
        },
        {
          "url": "https://git.kernel.org/stable/c/64fc0bad62ed38874131dd0337d844a43bd1017e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef0b5bbbed7f220db2e9c73428f9a36e8dfc69ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/531aef4a1accb13b21a3b82ec29955f4733367d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/8662ac79a63488e279b91c12a72b02bc0dc49f7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2a79f0da92614c5dc45c8b3d2638681c7734ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/00be74e1470af292c37a438b8e69dee47dcbf481"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f90d45e57cb2ef1f0adcaf925ddffdfc5e680ca"
        }
      ],
      "title": "aoe: clean device rq_list in aoedev_downdev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38326",
    "datePublished": "2025-07-10T08:15:00.752Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2026-05-11T21:25:49.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38328 (GCVE-0-2025-38328)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:25

Title

jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

Summary

In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handle that. The code is ready for propagating the error upwards. KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 Call Trace: jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 call_write_iter include/linux/fs.h:2039 [inline] do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 do_iter_write+0x18c/0x710 fs/read_write.c:866 vfs_writev+0x1db/0x6a0 fs/read_write.c:939 do_pwritev fs/read_write.c:1036 [inline] __do_sys_pwritev fs/read_write.c:1083 [inline] __se_sys_pwritev fs/read_write.c:1078 [inline] __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/7e860296d7808de1d…
https://git.kernel.org/stable/c/d96e6451a8d0fe624…
https://git.kernel.org/stable/c/f41c625328777f9ad…
https://git.kernel.org/stable/c/38d767fb4a7766ec2…
https://git.kernel.org/stable/c/cd42ddddd70abc712…
https://git.kernel.org/stable/c/d1b81776f337a9b99…
https://git.kernel.org/stable/c/042fa922c84b50804…
https://git.kernel.org/stable/c/2b6d96503255a3ed6…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 7e860296d7808de1db175c1eda29f94a2955dcc4 (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < d96e6451a8d0fe62492d4cc942d695772293c05a (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < f41c625328777f9ad572901ba0b0065bb9c9c1da (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 38d767fb4a7766ec2058f97787e4c6e8d10343d6 (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < cd42ddddd70abc7127c12b96c8c85dbd080ea56f (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < d1b81776f337a9b997f797c70ac0a26d838a2168 (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 042fa922c84b5080401bcd8897d4ac4919d15075 (git) Affected: 2f785402f39b96a077b6e62bf26164bfb8e0c980 , < 2b6d96503255a3ed676cd70f8368870c6d6a25c6 (git)
Linux	Linux	Affected: 2.6.18 Unaffected: 0 , < 2.6.18 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:39.057Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/erase.c",
            "fs/jffs2/scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e860296d7808de1db175c1eda29f94a2955dcc4",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "d96e6451a8d0fe62492d4cc942d695772293c05a",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "f41c625328777f9ad572901ba0b0065bb9c9c1da",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "38d767fb4a7766ec2058f97787e4c6e8d10343d6",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "cd42ddddd70abc7127c12b96c8c85dbd080ea56f",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "d1b81776f337a9b997f797c70ac0a26d838a2168",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "042fa922c84b5080401bcd8897d4ac4919d15075",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            },
            {
              "lessThan": "2b6d96503255a3ed676cd70f8368870c6d6a25c6",
              "status": "affected",
              "version": "2f785402f39b96a077b6e62bf26164bfb8e0c980",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jffs2/erase.c",
            "fs/jffs2/scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.18"
            },
            {
              "lessThan": "2.6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check jffs2_prealloc_raw_node_refs() result in few other places\n\nFuzzing hit another invalid pointer dereference due to the lack of\nchecking whether jffs2_prealloc_raw_node_refs() completed successfully.\nSubsequent logic implies that the node refs have been allocated.\n\nHandle that. The code is ready for propagating the error upwards.\n\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nRIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600\nCall Trace:\n jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline]\n jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118\n jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253\n jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167\n jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362\n jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302\n generic_perform_write+0x2c2/0x500 mm/filemap.c:3347\n __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465\n generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497\n call_write_iter include/linux/fs.h:2039 [inline]\n do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740\n do_iter_write+0x18c/0x710 fs/read_write.c:866\n vfs_writev+0x1db/0x6a0 fs/read_write.c:939\n do_pwritev fs/read_write.c:1036 [inline]\n __do_sys_pwritev fs/read_write.c:1083 [inline]\n __se_sys_pwritev fs/read_write.c:1078 [inline]\n __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:51.761Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e860296d7808de1db175c1eda29f94a2955dcc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d96e6451a8d0fe62492d4cc942d695772293c05a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f41c625328777f9ad572901ba0b0065bb9c9c1da"
        },
        {
          "url": "https://git.kernel.org/stable/c/38d767fb4a7766ec2058f97787e4c6e8d10343d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd42ddddd70abc7127c12b96c8c85dbd080ea56f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1b81776f337a9b997f797c70ac0a26d838a2168"
        },
        {
          "url": "https://git.kernel.org/stable/c/042fa922c84b5080401bcd8897d4ac4919d15075"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b6d96503255a3ed676cd70f8368870c6d6a25c6"
        }
      ],
      "title": "jffs2: check jffs2_prealloc_raw_node_refs() result in few other places",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38328",
    "datePublished": "2025-07-10T08:15:02.296Z",
    "dateReserved": "2025-04-16T04:51:24.004Z",
    "dateUpdated": "2026-05-11T21:25:51.761Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38331 (GCVE-0-2025-38331)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:25

Title

net: ethernet: cortina: Use TOE/TSO on all TCP

Summary

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to also process non-segmented TCP frames: we pass the skb->len to the "TOE/TSO" offloader and it will handle them. Without this quirk the driver becomes unstable and lock up and and crash. I do not know exactly why, but it is probably due to the TOE (TCP offload engine) feature that is coupled with the segmentation feature - it is not possible to turn one part off and not the other, either both TOE and TSO are active, or neither of them. Not having the TOE part active seems detrimental, as if that hardware feature is not really supposed to be turned off. The datasheet says: "Based on packet parsing and TCP connection/NAT table lookup results, the NetEngine puts the packets belonging to the same TCP connection to the same queue for the software to process. The NetEngine puts incoming packets to the buffer or series of buffers for a jumbo packet. With this hardware acceleration, IP/TCP header parsing, checksum validation and connection lookup are offloaded from the software processing." After numerous tests with the hardware locking up after something between minutes and hours depending on load using iperf3 I have concluded this is necessary to stabilize the hardware.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/1b503b790109d1971…
https://git.kernel.org/stable/c/a37888a435b073712…
https://git.kernel.org/stable/c/2bd434bb0eeb680c2…
https://git.kernel.org/stable/c/ebe12e232f1d58ebb…
https://git.kernel.org/stable/c/6a07e3af4973402fa…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88 , < 1b503b790109d19710ec83c589c3ee59e95347ec (git) Affected: 4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88 , < a37888a435b0737128d2d9c6f67b8d608f83df7a (git) Affected: 4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88 , < 2bd434bb0eeb680c2b3dd6c68ca319b30cb8d47f (git) Affected: 4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88 , < ebe12e232f1d58ebb4b53b6d9149962b707bed91 (git) Affected: 4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88 , < 6a07e3af4973402fa199a80036c10060b922c92c (git)
Linux	Linux	Affected: 4.16 Unaffected: 0 , < 4.16 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:39.991Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/cortina/gemini.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b503b790109d19710ec83c589c3ee59e95347ec",
              "status": "affected",
              "version": "4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88",
              "versionType": "git"
            },
            {
              "lessThan": "a37888a435b0737128d2d9c6f67b8d608f83df7a",
              "status": "affected",
              "version": "4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88",
              "versionType": "git"
            },
            {
              "lessThan": "2bd434bb0eeb680c2b3dd6c68ca319b30cb8d47f",
              "status": "affected",
              "version": "4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88",
              "versionType": "git"
            },
            {
              "lessThan": "ebe12e232f1d58ebb4b53b6d9149962b707bed91",
              "status": "affected",
              "version": "4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88",
              "versionType": "git"
            },
            {
              "lessThan": "6a07e3af4973402fa199a80036c10060b922c92c",
              "status": "affected",
              "version": "4d5ae32f5e1e13f7f36d6439ec3257993b9f5b88",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/cortina/gemini.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: cortina: Use TOE/TSO on all TCP\n\nIt is desireable to push the hardware accelerator to also\nprocess non-segmented TCP frames: we pass the skb-\u003elen\nto the \"TOE/TSO\" offloader and it will handle them.\n\nWithout this quirk the driver becomes unstable and lock\nup and and crash.\n\nI do not know exactly why, but it is probably due to the\nTOE (TCP offload engine) feature that is coupled with the\nsegmentation feature - it is not possible to turn one\npart off and not the other, either both TOE and TSO are\nactive, or neither of them.\n\nNot having the TOE part active seems detrimental, as if\nthat hardware feature is not really supposed to be turned\noff.\n\nThe datasheet says:\n\n  \"Based on packet parsing and TCP connection/NAT table\n   lookup results, the NetEngine puts the packets\n   belonging to the same TCP connection to the same queue\n   for the software to process. The NetEngine puts\n   incoming packets to the buffer or series of buffers\n   for a jumbo packet. With this hardware acceleration,\n   IP/TCP header parsing, checksum validation and\n   connection lookup are offloaded from the software\n   processing.\"\n\nAfter numerous tests with the hardware locking up after\nsomething between minutes and hours depending on load\nusing iperf3 I have concluded this is necessary to stabilize\nthe hardware."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:55.198Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b503b790109d19710ec83c589c3ee59e95347ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/a37888a435b0737128d2d9c6f67b8d608f83df7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bd434bb0eeb680c2b3dd6c68ca319b30cb8d47f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebe12e232f1d58ebb4b53b6d9149962b707bed91"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a07e3af4973402fa199a80036c10060b922c92c"
        }
      ],
      "title": "net: ethernet: cortina: Use TOE/TSO on all TCP",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38331",
    "datePublished": "2025-07-10T08:15:04.436Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2026-05-11T21:25:55.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38332 (GCVE-0-2025-38332)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:25

Title

scsi: lpfc: Use memcpy() for BIOS version

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7…
https://git.kernel.org/stable/c/b699bda5db818b684…
https://git.kernel.org/stable/c/d34f2384d6df11a6c…
https://git.kernel.org/stable/c/75ea8375c5a83f46c…
https://git.kernel.org/stable/c/34c0a670556b24d36…
https://git.kernel.org/stable/c/2f63bf0d2b146956a…
https://git.kernel.org/stable/c/003baa7a1a152576d…
https://git.kernel.org/stable/c/ae82eaf4aeea060bb…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < b699bda5db818b684ff62d140defd6394f38f3d6 (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < d34f2384d6df11a6c67039b612c2437f46e587e8 (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 75ea8375c5a83f46c47bfb3de6217c7589a8df93 (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 34c0a670556b24d36c9f8934227edb819ca5609e (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 2f63bf0d2b146956a2f2ff3b25cee71019e64561 (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < 003baa7a1a152576d744bd655820449bbdb0248e (git) Affected: b3b4f3e1d575fe142fd437158425c2359b695ff1 , < ae82eaf4aeea060bb736c3e20c0568b67c701d7d (git)
Linux	Linux	Affected: 5.2 Unaffected: 0 , < 5.2 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:41.860Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "b699bda5db818b684ff62d140defd6394f38f3d6",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "d34f2384d6df11a6c67039b612c2437f46e587e8",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "75ea8375c5a83f46c47bfb3de6217c7589a8df93",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "34c0a670556b24d36c9f8934227edb819ca5609e",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "2f63bf0d2b146956a2f2ff3b25cee71019e64561",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "003baa7a1a152576d744bd655820449bbdb0248e",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            },
            {
              "lessThan": "ae82eaf4aeea060bb736c3e20c0568b67c701d7d",
              "status": "affected",
              "version": "b3b4f3e1d575fe142fd437158425c2359b695ff1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Use memcpy() for BIOS version\n\nThe strlcat() with FORTIFY support is triggering a panic because it\nthinks the target buffer will overflow although the correct target\nbuffer size is passed in.\n\nAnyway, instead of memset() with 0 followed by a strlcat(), just use\nmemcpy() and ensure that the resulting buffer is NULL terminated.\n\nBIOSVersion is only used for the lpfc_printf_log() which expects a\nproperly terminated string."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:56.334Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac7bfaa099ec3e4d7dfd0ab9726fc3bc7911365d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b699bda5db818b684ff62d140defd6394f38f3d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d34f2384d6df11a6c67039b612c2437f46e587e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/75ea8375c5a83f46c47bfb3de6217c7589a8df93"
        },
        {
          "url": "https://git.kernel.org/stable/c/34c0a670556b24d36c9f8934227edb819ca5609e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f63bf0d2b146956a2f2ff3b25cee71019e64561"
        },
        {
          "url": "https://git.kernel.org/stable/c/003baa7a1a152576d744bd655820449bbdb0248e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae82eaf4aeea060bb736c3e20c0568b67c701d7d"
        }
      ],
      "title": "scsi: lpfc: Use memcpy() for BIOS version",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38332",
    "datePublished": "2025-07-10T08:15:05.102Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2026-05-11T21:25:56.334Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38334 (GCVE-0-2025-38334)

Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:25

Title

x86/sgx: Prevent attempts to reclaim poisoned pages

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. The longer story: Pages used by an enclave only get epc_page->poison set in arch_memory_failure() but they currently stay on sgx_active_page_list until sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched. epc_page->poison is not checked in the reclaimer logic meaning that, if other conditions are met, an attempt will be made to reclaim an EPC page that was poisoned. This is bad because 1. we don't want that page to end up added to another enclave and 2. it is likely to cause one core to shut down and the kernel to panic. Specifically, reclaiming uses microcode operations including "EWB" which accesses the EPC page contents to encrypt and write them out to non-SGX memory. Those operations cannot handle MCEs in their accesses other than by putting the executing core into a special shutdown state (affecting both threads with HT.) The kernel will subsequently panic on the remaining cores seeing the core didn't enter MCE handler(s) in time. Call sgx_unmark_page_reclaimable() to remove the affected EPC page from sgx_active_page_list on memory error to stop it being considered for reclaiming. Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume it's better to add code in the less likely paths. The affected EPC page is not added to &node->sgx_poison_page_list until later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd. Membership on other lists doesn't change to avoid changing any of the lists' semantics except for sgx_active_page_list. There's a "TBD" comment in arch_memory_failure() about pre-emptive actions, the goal here is not to address everything that it may imply. This also doesn't completely close the time window when a memory error notification will be fatal (for a not previously poisoned EPC page) -- the MCE can happen after sgx_reclaim_pages() has selected its candidates or even *inside* a microcode operation (actually easy to trigger due to the amount of time spent in them.) The spinlock in sgx_unmark_page_reclaimable() is safe because memory_failure() runs in process context and no spinlocks are held, explicitly noted in a mm/memory-failure.c comment.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/00a88e9ea1b170d57…
https://git.kernel.org/stable/c/62b62a2a6dc51ed6e…
https://git.kernel.org/stable/c/dc5de5bd6deabd327…
https://git.kernel.org/stable/c/31dcbac94bfeabb86…
https://git.kernel.org/stable/c/ed16618c380c32c68…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 70d3b8ddcd20d3c859676f56c43c7b2360c70266 , < 00a88e9ea1b170d579c56327c38f7e8cf689df87 (git) Affected: 70d3b8ddcd20d3c859676f56c43c7b2360c70266 , < 62b62a2a6dc51ed6e8e334861f04220c9cf8106a (git) Affected: 70d3b8ddcd20d3c859676f56c43c7b2360c70266 , < dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe (git) Affected: 70d3b8ddcd20d3c859676f56c43c7b2360c70266 , < 31dcbac94bfeabb86bf85b0c36803fdd6536437b (git) Affected: 70d3b8ddcd20d3c859676f56c43c7b2360c70266 , < ed16618c380c32c68c06186d0ccbb0d5e0586e59 (git)
Linux	Linux	Affected: 5.11 Unaffected: 0 , < 5.11 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:36:42.808Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/sgx/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "00a88e9ea1b170d579c56327c38f7e8cf689df87",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "62b62a2a6dc51ed6e8e334861f04220c9cf8106a",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "31dcbac94bfeabb86bf85b0c36803fdd6536437b",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            },
            {
              "lessThan": "ed16618c380c32c68c06186d0ccbb0d5e0586e59",
              "status": "affected",
              "version": "70d3b8ddcd20d3c859676f56c43c7b2360c70266",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/sgx/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.35",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.4",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Prevent attempts to reclaim poisoned pages\n\nTL;DR: SGX page reclaim touches the page to copy its contents to\nsecondary storage. SGX instructions do not gracefully handle machine\nchecks. Despite this, the existing SGX code will try to reclaim pages\nthat it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages.\n\nThe longer story:\n\nPages used by an enclave only get epc_page-\u003epoison set in\narch_memory_failure() but they currently stay on sgx_active_page_list until\nsgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched.\n\nepc_page-\u003epoison is not checked in the reclaimer logic meaning that, if other\nconditions are met, an attempt will be made to reclaim an EPC page that was\npoisoned.  This is bad because 1. we don\u0027t want that page to end up added\nto another enclave and 2. it is likely to cause one core to shut down\nand the kernel to panic.\n\nSpecifically, reclaiming uses microcode operations including \"EWB\" which\naccesses the EPC page contents to encrypt and write them out to non-SGX\nmemory.  Those operations cannot handle MCEs in their accesses other than\nby putting the executing core into a special shutdown state (affecting\nboth threads with HT.)  The kernel will subsequently panic on the\nremaining cores seeing the core didn\u0027t enter MCE handler(s) in time.\n\nCall sgx_unmark_page_reclaimable() to remove the affected EPC page from\nsgx_active_page_list on memory error to stop it being considered for\nreclaiming.\n\nTesting epc_page-\u003epoison in sgx_reclaim_pages() would also work but I assume\nit\u0027s better to add code in the less likely paths.\n\nThe affected EPC page is not added to \u0026node-\u003esgx_poison_page_list until\nlater in sgx_encl_release()-\u003esgx_free_epc_page() when it is EREMOVEd.\nMembership on other lists doesn\u0027t change to avoid changing any of the\nlists\u0027 semantics except for sgx_active_page_list.  There\u0027s a \"TBD\" comment\nin arch_memory_failure() about pre-emptive actions, the goal here is not\nto address everything that it may imply.\n\nThis also doesn\u0027t completely close the time window when a memory error\nnotification will be fatal (for a not previously poisoned EPC page) --\nthe MCE can happen after sgx_reclaim_pages() has selected its candidates\nor even *inside* a microcode operation (actually easy to trigger due to\nthe amount of time spent in them.)\n\nThe spinlock in sgx_unmark_page_reclaimable() is safe because\nmemory_failure() runs in process context and no spinlocks are held,\nexplicitly noted in a mm/memory-failure.c comment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:58.711Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/00a88e9ea1b170d579c56327c38f7e8cf689df87"
        },
        {
          "url": "https://git.kernel.org/stable/c/62b62a2a6dc51ed6e8e334861f04220c9cf8106a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc5de5bd6deabd327ced2b2b1d0b4f14cd146afe"
        },
        {
          "url": "https://git.kernel.org/stable/c/31dcbac94bfeabb86bf85b0c36803fdd6536437b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed16618c380c32c68c06186d0ccbb0d5e0586e59"
        }
      ],
      "title": "x86/sgx: Prevent attempts to reclaim poisoned pages",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38334",
    "datePublished": "2025-07-10T08:15:06.380Z",
    "dateReserved": "2025-04-16T04:51:24.005Z",
    "dateUpdated": "2026-05-11T21:25:58.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0698

Solutions

CVE-2025-38313 (GCVE-0-2025-38313)

CVE-2025-38319 (GCVE-0-2025-38319)

CVE-2025-38320 (GCVE-0-2025-38320)

CVE-2025-38323 (GCVE-0-2025-38323)

CVE-2025-38324 (GCVE-0-2025-38324)

CVE-2025-38326 (GCVE-0-2025-38326)

CVE-2025-38328 (GCVE-0-2025-38328)

CVE-2025-38331 (GCVE-0-2025-38331)

CVE-2025-38332 (GCVE-0-2025-38332)

CVE-2025-38334 (GCVE-0-2025-38334)

Tags

Sightings

Nomenclature