Vulnerability-Lookup

CERTFR-2025-AVI-0698

Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian bookworm versions antérieures à 6.1.147-1
	Debian	Debian	Debian trixie versions antérieures à 6.12.41-1

References

Title

Publication Time

CVE-2025-37925 (GCVE-0-2025-37925)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-11 21:17

Title

jfs: reject on-disk inodes of an unsupported type

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: reject on-disk inodes of an unsupported type Syzbot has reported the following BUG: kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:clear_inode+0x168/0x190 Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f RSP: 0018:ffffc900027dfae8 EFLAGS: 00010093 RAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38 R10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000 R13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80 FS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die_body+0x5f/0xb0 ? die+0x9e/0xc0 ? do_trap+0x15a/0x3a0 ? clear_inode+0x168/0x190 ? do_error_trap+0x1dc/0x2c0 ? clear_inode+0x168/0x190 ? __pfx_do_error_trap+0x10/0x10 ? report_bug+0x3cd/0x500 ? handle_invalid_op+0x34/0x40 ? clear_inode+0x168/0x190 ? exc_invalid_op+0x38/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? clear_inode+0x57/0x190 ? clear_inode+0x167/0x190 ? clear_inode+0x168/0x190 ? clear_inode+0x167/0x190 jfs_evict_inode+0xb5/0x440 ? __pfx_jfs_evict_inode+0x10/0x10 evict+0x4ea/0x9b0 ? __pfx_evict+0x10/0x10 ? iput+0x713/0xa50 txUpdateMap+0x931/0xb10 ? __pfx_txUpdateMap+0x10/0x10 jfs_lazycommit+0x49a/0xb80 ? _raw_spin_unlock_irqrestore+0x8f/0x140 ? lockdep_hardirqs_on+0x99/0x150 ? __pfx_jfs_lazycommit+0x10/0x10 ? __pfx_default_wake_function+0x10/0x10 ? __kthread_parkme+0x169/0x1d0 ? __pfx_jfs_lazycommit+0x10/0x10 kthread+0x2f2/0x390 ? __pfx_jfs_lazycommit+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x4d/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This happens when 'clear_inode()' makes an attempt to finalize an underlying JFS inode of unknown type. According to JFS layout description from https://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to 15 are reserved for future extensions and should not be encountered on a valid filesystem. So add an extra check for valid inode type in 'copy_from_dinode()'.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/fa6ce4a9cc9fcc815…
https://git.kernel.org/stable/c/afc08b0b5587b5537…
https://git.kernel.org/stable/c/45fd8421081ec79e6…
https://git.kernel.org/stable/c/28419a4f3a1eeee33…
https://git.kernel.org/stable/c/8987891c4653874d5…
https://git.kernel.org/stable/c/8c3f9a70d2d4dd6c6…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 79ac5a46c5c1c17476fbf84b4d4600d6d565defd , < fa6ce4a9cc9fcc8150b80db6f65186c0ed2b3143 (git) Affected: 79ac5a46c5c1c17476fbf84b4d4600d6d565defd , < afc08b0b5587b553799bc375957706936a3e0088 (git) Affected: 79ac5a46c5c1c17476fbf84b4d4600d6d565defd , < 45fd8421081ec79e661e5f3ead2934fdbddb4287 (git) Affected: 79ac5a46c5c1c17476fbf84b4d4600d6d565defd , < 28419a4f3a1eeee33472a1b3856ae62aaa5a649b (git) Affected: 79ac5a46c5c1c17476fbf84b4d4600d6d565defd , < 8987891c4653874d5e3f5d11f063912f4e0b58eb (git) Affected: 79ac5a46c5c1c17476fbf84b4d4600d6d565defd , < 8c3f9a70d2d4dd6c640afe294b05c6a0a45434d9 (git)
Linux	Linux	Affected: 3.1 Unaffected: 0 , < 3.1 (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.148 , ≤ 6.1.* (semver) Unaffected: 6.6.101 , ≤ 6.6.* (semver) Unaffected: 6.12.41 , ≤ 6.12.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:38.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_imap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fa6ce4a9cc9fcc8150b80db6f65186c0ed2b3143",
              "status": "affected",
              "version": "79ac5a46c5c1c17476fbf84b4d4600d6d565defd",
              "versionType": "git"
            },
            {
              "lessThan": "afc08b0b5587b553799bc375957706936a3e0088",
              "status": "affected",
              "version": "79ac5a46c5c1c17476fbf84b4d4600d6d565defd",
              "versionType": "git"
            },
            {
              "lessThan": "45fd8421081ec79e661e5f3ead2934fdbddb4287",
              "status": "affected",
              "version": "79ac5a46c5c1c17476fbf84b4d4600d6d565defd",
              "versionType": "git"
            },
            {
              "lessThan": "28419a4f3a1eeee33472a1b3856ae62aaa5a649b",
              "status": "affected",
              "version": "79ac5a46c5c1c17476fbf84b4d4600d6d565defd",
              "versionType": "git"
            },
            {
              "lessThan": "8987891c4653874d5e3f5d11f063912f4e0b58eb",
              "status": "affected",
              "version": "79ac5a46c5c1c17476fbf84b4d4600d6d565defd",
              "versionType": "git"
            },
            {
              "lessThan": "8c3f9a70d2d4dd6c640afe294b05c6a0a45434d9",
              "status": "affected",
              "version": "79ac5a46c5c1c17476fbf84b4d4600d6d565defd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_imap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "lessThan": "3.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.101",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: reject on-disk inodes of an unsupported type\n\nSyzbot has reported the following BUG:\n\nkernel BUG at fs/inode.c:668!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\nRIP: 0010:clear_inode+0x168/0x190\nCode: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7\n 0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f\nRSP: 0018:ffffc900027dfae8 EFLAGS: 00010093\nRAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38\nR10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000\nR13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80\nFS:  0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\u003e\n ? __die_body+0x5f/0xb0\n ? die+0x9e/0xc0\n ? do_trap+0x15a/0x3a0\n ? clear_inode+0x168/0x190\n ? do_error_trap+0x1dc/0x2c0\n ? clear_inode+0x168/0x190\n ? __pfx_do_error_trap+0x10/0x10\n ? report_bug+0x3cd/0x500\n ? handle_invalid_op+0x34/0x40\n ? clear_inode+0x168/0x190\n ? exc_invalid_op+0x38/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? clear_inode+0x57/0x190\n ? clear_inode+0x167/0x190\n ? clear_inode+0x168/0x190\n ? clear_inode+0x167/0x190\n jfs_evict_inode+0xb5/0x440\n ? __pfx_jfs_evict_inode+0x10/0x10\n evict+0x4ea/0x9b0\n ? __pfx_evict+0x10/0x10\n ? iput+0x713/0xa50\n txUpdateMap+0x931/0xb10\n ? __pfx_txUpdateMap+0x10/0x10\n jfs_lazycommit+0x49a/0xb80\n ? _raw_spin_unlock_irqrestore+0x8f/0x140\n ? lockdep_hardirqs_on+0x99/0x150\n ? __pfx_jfs_lazycommit+0x10/0x10\n ? __pfx_default_wake_function+0x10/0x10\n ? __kthread_parkme+0x169/0x1d0\n ? __pfx_jfs_lazycommit+0x10/0x10\n kthread+0x2f2/0x390\n ? __pfx_jfs_lazycommit+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x4d/0x80\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nThis happens when \u0027clear_inode()\u0027 makes an attempt to finalize an underlying\nJFS inode of unknown type. According to JFS layout description from\nhttps://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to\n15 are reserved for future extensions and should not be encountered on a valid\nfilesystem. So add an extra check for valid inode type in \u0027copy_from_dinode()\u0027."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:17:45.703Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fa6ce4a9cc9fcc8150b80db6f65186c0ed2b3143"
        },
        {
          "url": "https://git.kernel.org/stable/c/afc08b0b5587b553799bc375957706936a3e0088"
        },
        {
          "url": "https://git.kernel.org/stable/c/45fd8421081ec79e661e5f3ead2934fdbddb4287"
        },
        {
          "url": "https://git.kernel.org/stable/c/28419a4f3a1eeee33472a1b3856ae62aaa5a649b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8987891c4653874d5e3f5d11f063912f4e0b58eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c3f9a70d2d4dd6c640afe294b05c6a0a45434d9"
        }
      ],
      "title": "jfs: reject on-disk inodes of an unsupported type",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37925",
    "datePublished": "2025-04-18T07:01:29.491Z",
    "dateReserved": "2025-04-16T04:51:23.969Z",
    "dateUpdated": "2026-05-11T21:17:45.703Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37958 (GCVE-0-2025-37958)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18

Title

mm/huge_memory: fix dereferencing invalid pmd migration entry

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/753f142f7ff7d2223…
https://git.kernel.org/stable/c/9468afbda3fbfcec2…
https://git.kernel.org/stable/c/ef5706bed97e240b4…
https://git.kernel.org/stable/c/22f6368768340260e…
https://git.kernel.org/stable/c/3977946f61cdba87b…
https://git.kernel.org/stable/c/6166c3cf405441f71…
https://git.kernel.org/stable/c/fbab262b0c8226c69…
https://git.kernel.org/stable/c/be6e843fc51a58467…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 753f142f7ff7d2223a47105b61e1efd91587d711 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 9468afbda3fbfcec21ac8132364dff3dab945faf (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < ef5706bed97e240b4abf4233ceb03da7336bc775 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 22f6368768340260e862f35151d2e1c55cb1dc75 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 3977946f61cdba87b6b5aaf7d7094e96089583a5 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 6166c3cf405441f7147b322980144feb3cefc617 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < fbab262b0c8226c697af1851a424896ed47dedcc (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 (git)
Linux	Linux	Affected: 4.14 Unaffected: 0 , < 4.14 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:46.448Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "753f142f7ff7d2223a47105b61e1efd91587d711",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "9468afbda3fbfcec21ac8132364dff3dab945faf",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "ef5706bed97e240b4abf4233ceb03da7336bc775",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "22f6368768340260e862f35151d2e1c55cb1dc75",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "3977946f61cdba87b6b5aaf7d7094e96089583a5",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "6166c3cf405441f7147b322980144feb3cefc617",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "fbab262b0c8226c697af1851a424896ed47dedcc",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            },
            {
              "lessThan": "be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7",
              "status": "affected",
              "version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.95",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.29",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.7",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below.  To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early.  In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio.  Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:18:23.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
        },
        {
          "url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
        },
        {
          "url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
        },
        {
          "url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
        },
        {
          "url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
        }
      ],
      "title": "mm/huge_memory: fix dereferencing invalid pmd migration entry",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37958",
    "datePublished": "2025-05-20T16:01:51.740Z",
    "dateReserved": "2025-04-16T04:51:23.974Z",
    "dateUpdated": "2026-05-11T21:18:23.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37984 (GCVE-0-2025-37984)

Vulnerability from cvelistv5 – Published: 2025-05-20 17:09 – Updated: 2026-05-23 15:58

Title

crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa implementation's ->key_size() callback returns an unusually large value. Herbert instead suggests (for a division by 8): X / 8 + !!(X & 7) Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and use it in lieu of DIV_ROUND_UP() for ->key_size() return values. Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes" parameter is a ->key_size() return value in some instances, or a user-specified ASN.1 length in the case of ecdsa_get_signature_rs().

Severity

No CVSS data available.

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/f02f0218be412cff1…
https://git.kernel.org/stable/c/f2133b849ff273abd…
https://git.kernel.org/stable/c/921b8167f10708e38…
https://git.kernel.org/stable/c/b16510a530d1e6ab9…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 55779f26eab9af12474a447001bd17070f055712 , < f02f0218be412cff1c844addf58e002071be298b (git) Affected: c6ab5c915da460c0397960af3c308386c3f3247b , < f2133b849ff273abddb6da622daddd8f6f6fa448 (git) Affected: c6ab5c915da460c0397960af3c308386c3f3247b , < 921b8167f10708e38080f84e195cdc68a7a561f1 (git) Affected: c6ab5c915da460c0397960af3c308386c3f3247b , < b16510a530d1e6ab9683f04f8fb34f2e0f538275 (git) Affected: 6.6.70 , < 6.6.99 (semver)
Linux	Linux	Affected: 6.10 Unaffected: 0 , < 6.10 (semver) Unaffected: 6.6.99 , ≤ 6.6.* (semver) Unaffected: 6.12.39 , ≤ 6.12.* (semver) Unaffected: 6.14.5 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/ecc.c",
            "crypto/ecdsa-p1363.c",
            "crypto/ecdsa-x962.c",
            "include/linux/math.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f02f0218be412cff1c844addf58e002071be298b",
              "status": "affected",
              "version": "55779f26eab9af12474a447001bd17070f055712",
              "versionType": "git"
            },
            {
              "lessThan": "f2133b849ff273abddb6da622daddd8f6f6fa448",
              "status": "affected",
              "version": "c6ab5c915da460c0397960af3c308386c3f3247b",
              "versionType": "git"
            },
            {
              "lessThan": "921b8167f10708e38080f84e195cdc68a7a561f1",
              "status": "affected",
              "version": "c6ab5c915da460c0397960af3c308386c3f3247b",
              "versionType": "git"
            },
            {
              "lessThan": "b16510a530d1e6ab9683f04f8fb34f2e0f538275",
              "status": "affected",
              "version": "c6ab5c915da460c0397960af3c308386c3f3247b",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.99",
              "status": "affected",
              "version": "6.6.70",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/ecc.c",
            "crypto/ecdsa-p1363.c",
            "crypto/ecdsa-x962.c",
            "include/linux/math.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.99",
                  "versionStartIncluding": "6.6.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()\n\nHerbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa\nimplementation\u0027s -\u003ekey_size() callback returns an unusually large value.\nHerbert instead suggests (for a division by 8):\n\n  X / 8 + !!(X \u0026 7)\n\nBased on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and\nuse it in lieu of DIV_ROUND_UP() for -\u003ekey_size() return values.\n\nAdditionally, use the macro in ecc_digits_from_bytes(), whose \"nbytes\"\nparameter is a -\u003ekey_size() return value in some instances, or a\nuser-specified ASN.1 length in the case of ecdsa_get_signature_rs()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:58:45.434Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f02f0218be412cff1c844addf58e002071be298b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2133b849ff273abddb6da622daddd8f6f6fa448"
        },
        {
          "url": "https://git.kernel.org/stable/c/921b8167f10708e38080f84e195cdc68a7a561f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b16510a530d1e6ab9683f04f8fb34f2e0f538275"
        }
      ],
      "title": "crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37984",
    "datePublished": "2025-05-20T17:09:18.321Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2026-05-23T15:58:45.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38000 (GCVE-0-2025-38000)

Vulnerability from cvelistv5 – Published: 2025-06-06 13:03 – Updated: 2026-05-11 21:19

Title

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

Summary

In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/1034e3310752e8675…
https://git.kernel.org/stable/c/f9f593e34d2fb6764…
https://git.kernel.org/stable/c/89c301e929a0db14e…
https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd…
https://git.kernel.org/stable/c/93c276942e75de0e5…
https://git.kernel.org/stable/c/49b21795b8e5654a7…
https://git.kernel.org/stable/c/3f3a22eebbc32b4fa…
https://git.kernel.org/stable/c/3f981138109f63232…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < 1034e3310752e8675e313f7271b348914008719a (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < f9f593e34d2fb67644372c8f7b033bdc622ad228 (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < 89c301e929a0db14ebd94b4d97764ce1d6981653 (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4 (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < 93c276942e75de0e5bc91576300d292e968f5a02 (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < 49b21795b8e5654a7df3d910a12e1060da4c04cf (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < 3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335 (git) Affected: 12d0ad3be9c3854e52ec74bb83bb6f43612827c7 , < 3f981138109f63232a5fb7165938d4c945cc1b9d (git)
Linux	Linux	Affected: 4.8 Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:32:58.709Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1034e3310752e8675e313f7271b348914008719a",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "f9f593e34d2fb67644372c8f7b033bdc622ad228",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "89c301e929a0db14ebd94b4d97764ce1d6981653",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "93c276942e75de0e5bc91576300d292e968f5a02",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "49b21795b8e5654a7df3d910a12e1060da4c04cf",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            },
            {
              "lessThan": "3f981138109f63232a5fb7165938d4c945cc1b9d",
              "status": "affected",
              "version": "12d0ad3be9c3854e52ec74bb83bb6f43612827c7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc\u0027s peek() operation before incrementing sch-\u003eq.qlen and\nsch-\u003eqstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc\u0027s qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch-\u003eq.qlen and\nsch-\u003eqstats.backlog before the call to the child qdisc\u0027s peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:19:22.480Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228"
        },
        {
          "url": "https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02"
        },
        {
          "url": "https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d"
        }
      ],
      "title": "sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38000",
    "datePublished": "2025-06-06T13:03:35.405Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2026-05-11T21:19:22.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38001 (GCVE-0-2025-38001)

Vulnerability from cvelistv5 – Published: 2025-06-06 13:41 – Updated: 2026-05-11 21:19

Title

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Severity

No CVSS data available.

Assigner

Linux

References

12 references

URL	Tags
https://git.kernel.org/stable/c/e5bee633cc2764103…
https://git.kernel.org/stable/c/6672e6c00810056ac…
https://git.kernel.org/stable/c/2c928b3a0b04a431f…
https://git.kernel.org/stable/c/a0ec22fa20b252edb…
https://git.kernel.org/stable/c/295f7c579b07b5b7c…
https://git.kernel.org/stable/c/2f2190ce4ca972051…
https://git.kernel.org/stable/c/4e38eaaabfb7fffbb…
https://git.kernel.org/stable/c/39ed887b1dd2d6b72…
https://git.kernel.org/stable/c/ac9fe7dd8e730a103…
https://syst3mfailure.io/rbtree-family-drama/
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < e5bee633cc276410337d54b99f77fbc1ad8801e5 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 6672e6c00810056acaac019fe26cdc26fee8a66c (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 2c928b3a0b04a431ffcd6c8b7d88a267124a3a28 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < a0ec22fa20b252edbe070a9de8501eef63c17ef5 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 295f7c579b07b5b7cf2dffe485f71cc2f27647cb (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 2f2190ce4ca972051cac6a8d7937448f8cb9673c (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 4e38eaaabfb7fffbb371a51150203e19eee5d70e (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 39ed887b1dd2d6b720f87e86692ac3006cc111c8 (git) Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < ac9fe7dd8e730a103ae4481147395cc73492d786 (git)
Linux	Linux	Affected: 5.0 Unaffected: 0 , < 5.0 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.32 , ≤ 6.12.* (semver) Unaffected: 6.14.10 , ≤ 6.14.* (semver) Unaffected: 6.15.1 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:00.634Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://syst3mfailure.io/rbtree-family-drama/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5bee633cc276410337d54b99f77fbc1ad8801e5",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "6672e6c00810056acaac019fe26cdc26fee8a66c",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "2c928b3a0b04a431ffcd6c8b7d88a267124a3a28",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "a0ec22fa20b252edbe070a9de8501eef63c17ef5",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "295f7c579b07b5b7cf2dffe485f71cc2f27647cb",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "2f2190ce4ca972051cac6a8d7937448f8cb9673c",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "4e38eaaabfb7fffbb371a51150203e19eee5d70e",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "39ed887b1dd2d6b720f87e86692ac3006cc111c8",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "ac9fe7dd8e730a103ae4481147395cc73492d786",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.32",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Address reentrant enqueue adding class to eltree twice\n\nSavino says:\n    \"We are writing to report that this recent patch\n    (141d34391abbb315d68556b7c67ad97885407547) [1]\n    can be bypassed, and a UAF can still occur when HFSC is utilized with\n    NETEM.\n\n    The patch only checks the cl-\u003ecl_nactive field to determine whether\n    it is the first insertion or not [2], but this field is only\n    incremented by init_vf [3].\n\n    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the\n    check and insert the class twice in the eltree.\n    Under normal conditions, this would lead to an infinite loop in\n    hfsc_dequeue for the reasons we already explained in this report [5].\n\n    However, if TBF is added as root qdisc and it is configured with a\n    very low rate,\n    it can be utilized to prevent packets from being dequeued.\n    This behavior can be exploited to perform subsequent insertions in the\n    HFSC eltree and cause a UAF.\"\n\nTo fix both the UAF and the infinite loop, with netem as an hfsc child,\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree\nwhenever the HFSC_RSC flag is set.\n\n[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547\n[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572\n[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677\n[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574\n[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:19:23.669Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5bee633cc276410337d54b99f77fbc1ad8801e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6672e6c00810056acaac019fe26cdc26fee8a66c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c928b3a0b04a431ffcd6c8b7d88a267124a3a28"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0ec22fa20b252edbe070a9de8501eef63c17ef5"
        },
        {
          "url": "https://git.kernel.org/stable/c/295f7c579b07b5b7cf2dffe485f71cc2f27647cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f2190ce4ca972051cac6a8d7937448f8cb9673c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e38eaaabfb7fffbb371a51150203e19eee5d70e"
        },
        {
          "url": "https://git.kernel.org/stable/c/39ed887b1dd2d6b720f87e86692ac3006cc111c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac9fe7dd8e730a103ae4481147395cc73492d786"
        },
        {
          "url": "https://syst3mfailure.io/rbtree-family-drama/"
        }
      ],
      "title": "net_sched: hfsc: Address reentrant enqueue adding class to eltree twice",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38001",
    "datePublished": "2025-06-06T13:41:45.462Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2026-05-11T21:19:23.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38003 (GCVE-0-2025-38003)

Vulnerability from cvelistv5 – Published: 2025-06-08 10:34 – Updated: 2026-05-23 15:58

Title

can: bcm: add missing rcu read protection for procfs content

Summary

In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu_read_lock() and makes sure the list entries are properly removed under rcu protection.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/19f553a1ddf260da6…
https://git.kernel.org/stable/c/659701c0b954ccdb4…
https://git.kernel.org/stable/c/0622846db728a5332…
https://git.kernel.org/stable/c/6d7d458c41b98a5c1…
https://git.kernel.org/stable/c/1f912f8484e9c4396…
https://git.kernel.org/stable/c/63567ecd99a244952…
https://git.kernel.org/stable/c/7c9db92d5f0eadca3…
https://git.kernel.org/stable/c/dac5e6249159ac255…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 5b48f5711f1c630841ab78dcc061de902f0e37bf , < 19f553a1ddf260da6570ed8f8d91a8c87f49b63a (git) Affected: 85cd41070df992d3c0dfd828866fdd243d3b774a , < 659701c0b954ccdb4a916a4ad59bbc16e726d42c (git) Affected: f34f2a18e47b73e48f90a757e1f4aaa8c7d665a1 , < 0622846db728a5332b917c797c733e202c4620ae (git) Affected: f1b4e32aca0811aa011c76e5d6cf2fa19224b386 , < 6d7d458c41b98a5c1670cbd36f2923c37de51cf5 (git) Affected: f1b4e32aca0811aa011c76e5d6cf2fa19224b386 , < 1f912f8484e9c4396378c39460bbea0af681f319 (git) Affected: f1b4e32aca0811aa011c76e5d6cf2fa19224b386 , < 63567ecd99a24495208dc860d50fb17440043006 (git) Affected: f1b4e32aca0811aa011c76e5d6cf2fa19224b386 , < 7c9db92d5f0eadca30884af75c53d601edc512ee (git) Affected: f1b4e32aca0811aa011c76e5d6cf2fa19224b386 , < dac5e6249159ac255dad9781793dbe5908ac9ddb (git) Affected: fbac09a3b8890003c0c55294c00709f3ae5501bb (git) Affected: edb4baffb9483141a50fb7f7146cfe4a4c0c2db8 (git) Affected: 5.4.205 , < 5.4.294 (semver) Affected: 5.10.130 , < 5.10.238 (semver) Affected: 5.15.54 , < 5.15.185 (semver) Affected: 4.19.252 , < 4.20 (semver) Affected: 5.18.11 , < 5.19 (semver)
Linux	Linux	Affected: 5.19 Unaffected: 0 , < 5.19 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:02.902Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/can/bcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19f553a1ddf260da6570ed8f8d91a8c87f49b63a",
              "status": "affected",
              "version": "5b48f5711f1c630841ab78dcc061de902f0e37bf",
              "versionType": "git"
            },
            {
              "lessThan": "659701c0b954ccdb4a916a4ad59bbc16e726d42c",
              "status": "affected",
              "version": "85cd41070df992d3c0dfd828866fdd243d3b774a",
              "versionType": "git"
            },
            {
              "lessThan": "0622846db728a5332b917c797c733e202c4620ae",
              "status": "affected",
              "version": "f34f2a18e47b73e48f90a757e1f4aaa8c7d665a1",
              "versionType": "git"
            },
            {
              "lessThan": "6d7d458c41b98a5c1670cbd36f2923c37de51cf5",
              "status": "affected",
              "version": "f1b4e32aca0811aa011c76e5d6cf2fa19224b386",
              "versionType": "git"
            },
            {
              "lessThan": "1f912f8484e9c4396378c39460bbea0af681f319",
              "status": "affected",
              "version": "f1b4e32aca0811aa011c76e5d6cf2fa19224b386",
              "versionType": "git"
            },
            {
              "lessThan": "63567ecd99a24495208dc860d50fb17440043006",
              "status": "affected",
              "version": "f1b4e32aca0811aa011c76e5d6cf2fa19224b386",
              "versionType": "git"
            },
            {
              "lessThan": "7c9db92d5f0eadca30884af75c53d601edc512ee",
              "status": "affected",
              "version": "f1b4e32aca0811aa011c76e5d6cf2fa19224b386",
              "versionType": "git"
            },
            {
              "lessThan": "dac5e6249159ac255dad9781793dbe5908ac9ddb",
              "status": "affected",
              "version": "f1b4e32aca0811aa011c76e5d6cf2fa19224b386",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fbac09a3b8890003c0c55294c00709f3ae5501bb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "edb4baffb9483141a50fb7f7146cfe4a4c0c2db8",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.294",
              "status": "affected",
              "version": "5.4.205",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.238",
              "status": "affected",
              "version": "5.10.130",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.185",
              "status": "affected",
              "version": "5.15.54",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.252",
              "versionType": "semver"
            },
            {
              "lessThan": "5.19",
              "status": "affected",
              "version": "5.18.11",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/can/bcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "5.4.205",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.10.130",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.15.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.252",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add missing rcu read protection for procfs content\n\nWhen the procfs content is generated for a bcm_op which is in the process\nto be removed the procfs output might show unreliable data (UAF).\n\nAs the removal of bcm_op\u0027s is already implemented with rcu handling this\npatch adds the missing rcu_read_lock() and makes sure the list entries\nare properly removed under rcu protection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:58:47.466Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19f553a1ddf260da6570ed8f8d91a8c87f49b63a"
        },
        {
          "url": "https://git.kernel.org/stable/c/659701c0b954ccdb4a916a4ad59bbc16e726d42c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0622846db728a5332b917c797c733e202c4620ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d7d458c41b98a5c1670cbd36f2923c37de51cf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f912f8484e9c4396378c39460bbea0af681f319"
        },
        {
          "url": "https://git.kernel.org/stable/c/63567ecd99a24495208dc860d50fb17440043006"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c9db92d5f0eadca30884af75c53d601edc512ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/dac5e6249159ac255dad9781793dbe5908ac9ddb"
        }
      ],
      "title": "can: bcm: add missing rcu read protection for procfs content",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38003",
    "datePublished": "2025-06-08T10:34:55.808Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2026-05-23T15:58:47.466Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38004 (GCVE-0-2025-38004)

Vulnerability from cvelistv5 – Published: 2025-06-08 10:34 – Updated: 2026-05-11 21:19

Title

can: bcm: add locking for bcm_op runtime updates

Summary

In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a safe operation the updates of 'currframe' can be triggered from user space and hrtimer context in bcm_can_tx(). Anderson Nascimento created a proof of concept that triggered a KASAN slab-out-of-bounds read access which can be prevented with a spin_lock_bh. At the rework of bcm_can_tx() the 'count' variable has been moved into the protected section as this variable can be modified from both contexts too.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/8f1c022541bf5a923…
https://git.kernel.org/stable/c/7595de7bc56e0e52b…
https://git.kernel.org/stable/c/fbd8fdc2b218e979c…
https://git.kernel.org/stable/c/2a437b86ac5a9893c…
https://git.kernel.org/stable/c/76c84c3728178b2d3…
https://git.kernel.org/stable/c/cc55dd28c20a6611e…
https://git.kernel.org/stable/c/c4e8a172501e677eb…
https://git.kernel.org/stable/c/c2aba69d0c36a496a…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 8f1c022541bf5a923c8d6fa483112c15250f30a4 (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 7595de7bc56e0e52b74e56c90f7e247bf626d628 (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < fbd8fdc2b218e979cfe422b139b8f74c12419d1f (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 2a437b86ac5a9893c902f30ef66815bf13587bf6 (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < 76c84c3728178b2d38d5604e399dfe8b0752645e (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < cc55dd28c20a6611e30596019b3b2f636819a4c0 (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < c4e8a172501e677ebd8ea9d9161d97dc4df56fbd (git) Affected: ffd980f976e7fd666c2e61bf8ab35107efd11828 , < c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7 (git)
Linux	Linux	Affected: 2.6.25 Unaffected: 0 , < 2.6.25 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:04.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/can/bcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8f1c022541bf5a923c8d6fa483112c15250f30a4",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "7595de7bc56e0e52b74e56c90f7e247bf626d628",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "fbd8fdc2b218e979cfe422b139b8f74c12419d1f",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "2a437b86ac5a9893c902f30ef66815bf13587bf6",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "76c84c3728178b2d38d5604e399dfe8b0752645e",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "cc55dd28c20a6611e30596019b3b2f636819a4c0",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "c4e8a172501e677ebd8ea9d9161d97dc4df56fbd",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            },
            {
              "lessThan": "c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7",
              "status": "affected",
              "version": "ffd980f976e7fd666c2e61bf8ab35107efd11828",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/can/bcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: add locking for bcm_op runtime updates\n\nThe CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via\nhrtimer. The content and also the length of the sequence can be changed\nresp reduced at runtime where the \u0027currframe\u0027 counter is then set to zero.\n\nAlthough this appeared to be a safe operation the updates of \u0027currframe\u0027\ncan be triggered from user space and hrtimer context in bcm_can_tx().\nAnderson Nascimento created a proof of concept that triggered a KASAN\nslab-out-of-bounds read access which can be prevented with a spin_lock_bh.\n\nAt the rework of bcm_can_tx() the \u0027count\u0027 variable has been moved into\nthe protected section as this variable can be modified from both contexts\ntoo."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:19:27.141Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8f1c022541bf5a923c8d6fa483112c15250f30a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7595de7bc56e0e52b74e56c90f7e247bf626d628"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbd8fdc2b218e979cfe422b139b8f74c12419d1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a437b86ac5a9893c902f30ef66815bf13587bf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/76c84c3728178b2d38d5604e399dfe8b0752645e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc55dd28c20a6611e30596019b3b2f636819a4c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4e8a172501e677ebd8ea9d9161d97dc4df56fbd"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2aba69d0c36a496ab4f2e81e9c2b271f2693fd7"
        }
      ],
      "title": "can: bcm: add locking for bcm_op runtime updates",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38004",
    "datePublished": "2025-06-08T10:34:56.484Z",
    "dateReserved": "2025-04-16T04:51:23.977Z",
    "dateUpdated": "2026-05-11T21:19:27.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38031 (GCVE-0-2025-38031)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-23 15:58

Title

padata: do not leak refcount in reorder_work

Summary

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/b9ad8e50e8589607e…
https://git.kernel.org/stable/c/1a426abdf1c86882c…
https://git.kernel.org/stable/c/cceb15864e1612ebf…
https://git.kernel.org/stable/c/584a729615fa92f4d…
https://git.kernel.org/stable/c/5300e487487d7a2e3…
https://git.kernel.org/stable/c/1c65ae49887147161…
https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0 , < b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1 (git) Affected: 4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1 , < 1a426abdf1c86882c9203dd8182f3b8274b89938 (git) Affected: 7000507bb0d2ceb545c0a690e0c707c897d102c2 , < cceb15864e1612ebfbc10ec4e4dcd19a10c0056c (git) Affected: 6f45ef616775b0ce7889b0f6077fc8d681ab30bc , < 584a729615fa92f4de45480efb7e569d14be1516 (git) Affected: 8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac , < 5300e487487d7a2e3e1e6e9d8f03ed9452e4019e (git) Affected: dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 , < 1c65ae4988714716101555fe2b9830e33136d6fb (git) Affected: dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 , < d6ebcde6d4ecf34f8495fb30516645db3aea8993 (git) Affected: a54091c24220a4cd847d5b4f36d678edacddbaf0 (git) Affected: 5.10.235 , < 5.10.238 (semver) Affected: 5.15.179 , < 5.15.185 (semver) Affected: 6.1.129 , < 6.1.141 (semver) Affected: 6.6.76 , < 6.6.93 (semver) Affected: 6.12.13 , < 6.12.31 (semver) Affected: 6.13.2 , < 6.14 (semver)
Linux	Linux	Affected: 6.14 Unaffected: 0 , < 6.14 (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:10.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1",
              "status": "affected",
              "version": "f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0",
              "versionType": "git"
            },
            {
              "lessThan": "1a426abdf1c86882c9203dd8182f3b8274b89938",
              "status": "affected",
              "version": "4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1",
              "versionType": "git"
            },
            {
              "lessThan": "cceb15864e1612ebfbc10ec4e4dcd19a10c0056c",
              "status": "affected",
              "version": "7000507bb0d2ceb545c0a690e0c707c897d102c2",
              "versionType": "git"
            },
            {
              "lessThan": "584a729615fa92f4de45480efb7e569d14be1516",
              "status": "affected",
              "version": "6f45ef616775b0ce7889b0f6077fc8d681ab30bc",
              "versionType": "git"
            },
            {
              "lessThan": "5300e487487d7a2e3e1e6e9d8f03ed9452e4019e",
              "status": "affected",
              "version": "8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac",
              "versionType": "git"
            },
            {
              "lessThan": "1c65ae4988714716101555fe2b9830e33136d6fb",
              "status": "affected",
              "version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "versionType": "git"
            },
            {
              "lessThan": "d6ebcde6d4ecf34f8495fb30516645db3aea8993",
              "status": "affected",
              "version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a54091c24220a4cd847d5b4f36d678edacddbaf0",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.238",
              "status": "affected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.185",
              "status": "affected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.141",
              "status": "affected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.93",
              "status": "affected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.31",
              "status": "affected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThan": "6.14",
              "status": "affected",
              "version": "6.13.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/padata.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "6.6.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:58:51.926Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"
        },
        {
          "url": "https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"
        },
        {
          "url": "https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"
        },
        {
          "url": "https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"
        }
      ],
      "title": "padata: do not leak refcount in reorder_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38031",
    "datePublished": "2025-06-18T09:33:18.882Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2026-05-23T15:58:51.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38034 (GCVE-0-2025-38034)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:19

Title

btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref. To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable Perform some writeback operations. Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/5755b6731655e248c…
https://git.kernel.org/stable/c/a641154cedf9d6973…
https://git.kernel.org/stable/c/a876703894a6dd6e8…
https://git.kernel.org/stable/c/0528bba48dce7820d…
https://git.kernel.org/stable/c/7a97f961a568a8f72…
https://git.kernel.org/stable/c/7f7c8c03feba5f245…
https://git.kernel.org/stable/c/137bfa08c6441f324…
https://git.kernel.org/stable/c/bc7e0975093567f51…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < 5755b6731655e248c4f1d52a2e1b18795b4a2a3a (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < a641154cedf9d69730f8af5d0a901fe86e6486bd (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < a876703894a6dd6e8c04b0635d86e9f7a7c81b79 (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < 0528bba48dce7820d2da72e1a114e1c4552367eb (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < 7a97f961a568a8f72472dc804af02a0f73152c5f (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < 7f7c8c03feba5f2454792fab3bb8bd45bd6883f9 (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < 137bfa08c6441f324d00692d1e9d22cfd773329b (git) Affected: 00142756e1f8015d2f8ce96532d156689db7e448 , < bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e (git)
Linux	Linux	Affected: 4.14 Unaffected: 0 , < 4.14 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:12.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/btrfs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5755b6731655e248c4f1d52a2e1b18795b4a2a3a",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "a641154cedf9d69730f8af5d0a901fe86e6486bd",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "a876703894a6dd6e8c04b0635d86e9f7a7c81b79",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "0528bba48dce7820d2da72e1a114e1c4552367eb",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "7a97f961a568a8f72472dc804af02a0f73152c5f",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "7f7c8c03feba5f2454792fab3bb8bd45bd6883f9",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "137bfa08c6441f324d00692d1e9d22cfd773329b",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            },
            {
              "lessThan": "bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e",
              "status": "affected",
              "version": "00142756e1f8015d2f8ce96532d156689db7e448",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/trace/events/btrfs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref\n\nbtrfs_prelim_ref() calls the old and new reference variables in the\nincorrect order. This causes a NULL pointer dereference because oldref\nis passed as NULL to trace_btrfs_prelim_ref_insert().\n\nNote, trace_btrfs_prelim_ref_insert() is being called with newref as\noldref (and oldref as NULL) on purpose in order to print out\nthe values of newref.\n\nTo reproduce:\necho 1 \u003e /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable\n\nPerform some writeback operations.\n\nBacktrace:\nBUG: kernel NULL pointer dereference, address: 0000000000000018\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary)  7ca2cef72d5e9c600f0c7718adb6462de8149622\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014\n RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130\n Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 \u003c49\u003e 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88\n RSP: 0018:ffffce44820077a0 EFLAGS: 00010286\n RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b\n RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010\n RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010\n R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000\n R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540\n FS:  00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  prelim_ref_insert+0x1c1/0x270\n  find_parent_nodes+0x12a6/0x1ee0\n  ? __entry_text_end+0x101f06/0x101f09\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  ? srso_alias_return_thunk+0x5/0xfbef5\n  btrfs_is_data_extent_shared+0x167/0x640\n  ? fiemap_process_hole+0xd0/0x2c0\n  extent_fiemap+0xa5c/0xbc0\n  ? __entry_text_end+0x101f05/0x101f09\n  btrfs_fiemap+0x7e/0xd0\n  do_vfs_ioctl+0x425/0x9d0\n  __x64_sys_ioctl+0x75/0xc0"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:19:59.723Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5755b6731655e248c4f1d52a2e1b18795b4a2a3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a641154cedf9d69730f8af5d0a901fe86e6486bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a876703894a6dd6e8c04b0635d86e9f7a7c81b79"
        },
        {
          "url": "https://git.kernel.org/stable/c/0528bba48dce7820d2da72e1a114e1c4552367eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a97f961a568a8f72472dc804af02a0f73152c5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f7c8c03feba5f2454792fab3bb8bd45bd6883f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/137bfa08c6441f324d00692d1e9d22cfd773329b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc7e0975093567f51be8e1bdf4aa5900a3cf0b1e"
        }
      ],
      "title": "btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38034",
    "datePublished": "2025-06-18T09:33:21.120Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2026-05-11T21:19:59.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38035 (GCVE-0-2025-38035)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20

Title

nvmet-tcp: don't restore null sk_state_change

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As such we don't need to restore sock->sk->sk_state_change if queue->state_change is NULL. This avoids NULL pointer dereferences such as this: [ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode [ 286.463796][ C0] #PF: error_code(0x0010) - not-present page [ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0 [ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI [ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary) [ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 [ 286.467147][ C0] RIP: 0010:0x0 [ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246 [ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43 [ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100 [ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c [ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3 [ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268 [ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000 [ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0 [ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 286.475453][ C0] Call Trace: [ 286.476102][ C0] <IRQ> [ 286.476719][ C0] tcp_fin+0x2bb/0x440 [ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60 [ 286.478174][ C0] ? __build_skb_around+0x234/0x330 [ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10 [ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0 [ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90 [ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30 [ 286.482769][ C0] ? ktime_get+0x66/0x150 [ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050 [ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0 [ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10 [ 286.486917][ C0] ? lock_release+0x217/0x2c0 [ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0 [ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30 [ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0 [ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10 [ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10 [ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack] [ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0 [ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370 [ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420 [ 286.494268][ C0] ip_local_deliver+0x168/0x430 [ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10 [ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20 [ 286.496806][ C0] ? lock_release+0x217/0x2c0 [ 286.497414][ C0] ip_rcv+0x455/0x6e0 [ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10 [ ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/6265538446e2426f4…
https://git.kernel.org/stable/c/17e58be5b49f58bf1…
https://git.kernel.org/stable/c/fc01b547c3f8bfa6e…
https://git.kernel.org/stable/c/c240375587ddcc80e…
https://git.kernel.org/stable/c/3a982ada411b8c526…
https://git.kernel.org/stable/c/ec462449f4cf616b0…
https://git.kernel.org/stable/c/a21cb31642ffc84ca…
https://git.kernel.org/stable/c/46d22b47df2741996…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 6265538446e2426f4bf3b57e91d7680b2047ddd9 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 17e58be5b49f58bf17799a504f55c2d05ab2ecdc (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < fc01b547c3f8bfa6e1d23cd5a2c63c736e8c3e4e (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < c240375587ddcc80e1022f52ee32b946bbc3a639 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 3a982ada411b8c52695f1784c3f4784771f30209 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < ec462449f4cf616b0aa2ed119f5f44b5fdfcefab (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < a21cb31642ffc84ca4ce55028212a96f72f54d30 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 46d22b47df2741996af277a2838b95f130436c13 (git)
Linux	Linux	Affected: 5.0 Unaffected: 0 , < 5.0 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:14.487Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6265538446e2426f4bf3b57e91d7680b2047ddd9",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "17e58be5b49f58bf17799a504f55c2d05ab2ecdc",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "fc01b547c3f8bfa6e1d23cd5a2c63c736e8c3e4e",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "c240375587ddcc80e1022f52ee32b946bbc3a639",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "3a982ada411b8c52695f1784c3f4784771f30209",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "ec462449f4cf616b0aa2ed119f5f44b5fdfcefab",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "a21cb31642ffc84ca4ce55028212a96f72f54d30",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "46d22b47df2741996af277a2838b95f130436c13",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: don\u0027t restore null sk_state_change\n\nqueue-\u003estate_change is set as part of nvmet_tcp_set_queue_sock(), but if\nthe TCP connection isn\u0027t established when nvmet_tcp_set_queue_sock() is\ncalled then queue-\u003estate_change isn\u0027t set and sock-\u003esk-\u003esk_state_change\nisn\u0027t replaced.\n\nAs such we don\u0027t need to restore sock-\u003esk-\u003esk_state_change if\nqueue-\u003estate_change is NULL.\n\nThis avoids NULL pointer dereferences such as this:\n\n[  286.462026][    C0] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  286.462814][    C0] #PF: supervisor instruction fetch in kernel mode\n[  286.463796][    C0] #PF: error_code(0x0010) - not-present page\n[  286.464392][    C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0\n[  286.465086][    C0] Oops: Oops: 0010 [#1] SMP KASAN PTI\n[  286.465559][    C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary)\n[  286.466393][    C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n[  286.467147][    C0] RIP: 0010:0x0\n[  286.467420][    C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[  286.467977][    C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246\n[  286.468425][    C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43\n[  286.469019][    C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100\n[  286.469545][    C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c\n[  286.470072][    C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3\n[  286.470585][    C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268\n[  286.471070][    C0] FS:  00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000\n[  286.471644][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  286.472543][    C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0\n[  286.473500][    C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  286.474467][    C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400\n[  286.475453][    C0] Call Trace:\n[  286.476102][    C0]  \u003cIRQ\u003e\n[  286.476719][    C0]  tcp_fin+0x2bb/0x440\n[  286.477429][    C0]  tcp_data_queue+0x190f/0x4e60\n[  286.478174][    C0]  ? __build_skb_around+0x234/0x330\n[  286.478940][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.479659][    C0]  ? __pfx_tcp_data_queue+0x10/0x10\n[  286.480431][    C0]  ? tcp_try_undo_loss+0x640/0x6c0\n[  286.481196][    C0]  ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90\n[  286.482046][    C0]  ? kvm_clock_get_cycles+0x14/0x30\n[  286.482769][    C0]  ? ktime_get+0x66/0x150\n[  286.483433][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.484146][    C0]  tcp_rcv_established+0x6e4/0x2050\n[  286.484857][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.485523][    C0]  ? ipv4_dst_check+0x160/0x2b0\n[  286.486203][    C0]  ? __pfx_tcp_rcv_established+0x10/0x10\n[  286.486917][    C0]  ? lock_release+0x217/0x2c0\n[  286.487595][    C0]  tcp_v4_do_rcv+0x4d6/0x9b0\n[  286.488279][    C0]  tcp_v4_rcv+0x2af8/0x3e30\n[  286.488904][    C0]  ? raw_local_deliver+0x51b/0xad0\n[  286.489551][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.490198][    C0]  ? __pfx_tcp_v4_rcv+0x10/0x10\n[  286.490813][    C0]  ? __pfx_raw_local_deliver+0x10/0x10\n[  286.491487][    C0]  ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack]\n[  286.492275][    C0]  ? rcu_is_watching+0x11/0xb0\n[  286.492900][    C0]  ip_protocol_deliver_rcu+0x8f/0x370\n[  286.493579][    C0]  ip_local_deliver_finish+0x297/0x420\n[  286.494268][    C0]  ip_local_deliver+0x168/0x430\n[  286.494867][    C0]  ? __pfx_ip_local_deliver+0x10/0x10\n[  286.495498][    C0]  ? __pfx_ip_local_deliver_finish+0x10/0x10\n[  286.496204][    C0]  ? ip_rcv_finish_core+0x19a/0x1f20\n[  286.496806][    C0]  ? lock_release+0x217/0x2c0\n[  286.497414][    C0]  ip_rcv+0x455/0x6e0\n[  286.497945][    C0]  ? __pfx_ip_rcv+0x10/0x10\n[ \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:20:00.970Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6265538446e2426f4bf3b57e91d7680b2047ddd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/17e58be5b49f58bf17799a504f55c2d05ab2ecdc"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc01b547c3f8bfa6e1d23cd5a2c63c736e8c3e4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c240375587ddcc80e1022f52ee32b946bbc3a639"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a982ada411b8c52695f1784c3f4784771f30209"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec462449f4cf616b0aa2ed119f5f44b5fdfcefab"
        },
        {
          "url": "https://git.kernel.org/stable/c/a21cb31642ffc84ca4ce55028212a96f72f54d30"
        },
        {
          "url": "https://git.kernel.org/stable/c/46d22b47df2741996af277a2838b95f130436c13"
        }
      ],
      "title": "nvmet-tcp: don\u0027t restore null sk_state_change",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38035",
    "datePublished": "2025-06-18T09:33:22.244Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2026-05-11T21:20:00.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0698

Solutions

CVE-2025-37925 (GCVE-0-2025-37925)

CVE-2025-37958 (GCVE-0-2025-37958)

CVE-2025-37984 (GCVE-0-2025-37984)

CVE-2025-38000 (GCVE-0-2025-38000)

CVE-2025-38001 (GCVE-0-2025-38001)

CVE-2025-38003 (GCVE-0-2025-38003)

CVE-2025-38004 (GCVE-0-2025-38004)

CVE-2025-38031 (GCVE-0-2025-38031)

CVE-2025-38034 (GCVE-0-2025-38034)

CVE-2025-38035 (GCVE-0-2025-38035)

Tags

Sightings

Nomenclature