Vulnerability-Lookup

CERTFR-2025-AVI-0698

Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian bookworm versions antérieures à 6.1.147-1
	Debian	Debian	Debian trixie versions antérieures à 6.12.41-1

References

Title

Publication Time

CVE-2025-38102 (GCVE-0-2025-38102)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21

Title

VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify

Summary

In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: <TASK> follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0 cpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page vmci_host_do_set_notify vmci_ctx_unset_notify notify_page = context->notify_page; if (notify_page) put_page(notify_page); // page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/74095bbbb19ca74a0…
https://git.kernel.org/stable/c/468aec888f838ce51…
https://git.kernel.org/stable/c/b4209e4b778e4e57d…
https://git.kernel.org/stable/c/58a90db70aa661641…
https://git.kernel.org/stable/c/6e3af836805ed1d7a…
https://git.kernel.org/stable/c/00ddc7dad55b7bbb7…
https://git.kernel.org/stable/c/75b5313c80c39a26d…
https://git.kernel.org/stable/c/1bd6406fb5f36c2bb…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 74095bbbb19ca74a0368d857603a2438c88ca86c (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 468aec888f838ce5174b96e0cb4396790d6f60ca (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < b4209e4b778e4e57d0636e1c9fc07a924dbc6043 (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 58a90db70aa6616411e5f69d1982d9b1dd97d774 (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 6e3af836805ed1d7a699f76ec798626198917aa4 (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 00ddc7dad55b7bbb78df80d6e174d0c4764dea0c (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 75b5313c80c39a26d27cbb602f968a05576c36f9 (git) Affected: a1d88436d53a75e950db15834b3d2f8c0c358fdc , < 1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4 (git)
Linux	Linux	Affected: 4.0 Unaffected: 0 , < 4.0 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:05.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/vmw_vmci/vmci_host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "74095bbbb19ca74a0368d857603a2438c88ca86c",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "468aec888f838ce5174b96e0cb4396790d6f60ca",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "b4209e4b778e4e57d0636e1c9fc07a924dbc6043",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "58a90db70aa6616411e5f69d1982d9b1dd97d774",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "6e3af836805ed1d7a699f76ec798626198917aa4",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "00ddc7dad55b7bbb78df80d6e174d0c4764dea0c",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "75b5313c80c39a26d27cbb602f968a05576c36f9",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            },
            {
              "lessThan": "1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4",
              "status": "affected",
              "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/vmw_vmci/vmci_host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n  RIP: 0010:try_grab_folio+0x106/0x130\n  Call Trace:\n   \u003cTASK\u003e\n   follow_huge_pmd+0x240/0x8e0\n   follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n   follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n   follow_page_mask+0x1c2/0x1f0\n   __get_user_pages+0x176/0x950\n   __gup_longterm_locked+0x15b/0x1060\n   ? gup_fast+0x120/0x1f0\n   gup_fast_fallback+0x17e/0x230\n   get_user_pages_fast+0x5f/0x80\n   vmci_host_unlocked_ioctl+0x21c/0xf80\n  RIP: 0033:0x54d2cd\n  ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context-\u003enotify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, \u0026context-\u003enotify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd  // update \u0026context-\u003enotify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context-\u003enotify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:17.994Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c"
        },
        {
          "url": "https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043"
        },
        {
          "url": "https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"
        }
      ],
      "title": "VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38102",
    "datePublished": "2025-07-03T08:35:12.255Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-11T21:21:17.994Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38103 (GCVE-0-2025-38103)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-23 15:58

Title

HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/7a6d6b68db128da20…
https://git.kernel.org/stable/c/41827a2dbdd7880df…
https://git.kernel.org/stable/c/1df80d748f984290c…
https://git.kernel.org/stable/c/a8f842534807985d3…
https://git.kernel.org/stable/c/4fa7831cf0ac71a0a…
https://git.kernel.org/stable/c/74388368927e9c52a…
https://git.kernel.org/stable/c/485e1b741eb838cbe…
https://git.kernel.org/stable/c/fe7f7ac8e0c708446…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 41827a2dbdd7880df9881506dee13bc88d4230bb (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 1df80d748f984290c895e843401824215dcfbfb0 (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < a8f842534807985d3a676006d140541b87044345 (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 4fa7831cf0ac71a0a345369d1a6084f2b096e55e (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 74388368927e9c52a69524af5bbd6c55eb4690de (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < 485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf (git) Affected: f043bfc98c193c284e2cd768fefabe18ac2fed9b , < fe7f7ac8e0c708446ff017453add769ffc15deed (git) Affected: 99de0781e0de7c866f762b931351c2a501c3074f (git) Affected: 8d675aa967d3927ac100f7af48f2a2af8a041d2d (git) Affected: f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c (git) Affected: 439f76690d7d5dd212ea7bebc1f2fa077e3d645d (git) Affected: 2929cb995378205bceda86d6fd3cbc22e522f97f (git) Affected: 57265cddde308292af881ce634a5378dd4e25900 (git) Affected: 984154e7eef1f9e543dabd7422cfc99015778732 (git) Affected: 3.2.95 , < 3.3 (semver) Affected: 3.16.50 , < 3.17 (semver) Affected: 3.18.76 , < 3.19 (semver) Affected: 4.1.46 , < 4.2 (semver) Affected: 4.4.93 , < 4.5 (semver) Affected: 4.9.57 , < 4.10 (semver) Affected: 4.13.8 , < 4.14 (semver)
Linux	Linux	Affected: 4.14 Unaffected: 0 , < 4.14 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:07.793Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-hyperv.c",
            "drivers/hid/usbhid/hid-core.c",
            "drivers/usb/gadget/function/f_hid.c",
            "include/linux/hid.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "41827a2dbdd7880df9881506dee13bc88d4230bb",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "1df80d748f984290c895e843401824215dcfbfb0",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "a8f842534807985d3a676006d140541b87044345",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "4fa7831cf0ac71a0a345369d1a6084f2b096e55e",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "74388368927e9c52a69524af5bbd6c55eb4690de",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "lessThan": "fe7f7ac8e0c708446ff017453add769ffc15deed",
              "status": "affected",
              "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "99de0781e0de7c866f762b931351c2a501c3074f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8d675aa967d3927ac100f7af48f2a2af8a041d2d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "439f76690d7d5dd212ea7bebc1f2fa077e3d645d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2929cb995378205bceda86d6fd3cbc22e522f97f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "57265cddde308292af881ce634a5378dd4e25900",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "984154e7eef1f9e543dabd7422cfc99015778732",
              "versionType": "git"
            },
            {
              "lessThan": "3.3",
              "status": "affected",
              "version": "3.2.95",
              "versionType": "semver"
            },
            {
              "lessThan": "3.17",
              "status": "affected",
              "version": "3.16.50",
              "versionType": "semver"
            },
            {
              "lessThan": "3.19",
              "status": "affected",
              "version": "3.18.76",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2",
              "status": "affected",
              "version": "4.1.46",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.93",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.57",
              "versionType": "semver"
            },
            {
              "lessThan": "4.14",
              "status": "affected",
              "version": "4.13.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-hyperv.c",
            "drivers/hid/usbhid/hid-core.c",
            "drivers/usb/gadget/function/f_hid.c",
            "include/linux/hid.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.95",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.46",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.13.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()\n\nUpdate struct hid_descriptor to better reflect the mandatory and\noptional parts of the HID Descriptor as per USB HID 1.11 specification.\nNote: the kernel currently does not parse any optional HID class\ndescriptors, only the mandatory report descriptor.\n\nUpdate all references to member element desc[0] to rpt_desc.\n\nAdd test to verify bLength and bNumDescriptors values are valid.\n\nReplace the for loop with direct access to the mandatory HID class\ndescriptor member for the report descriptor. This eliminates the\npossibility of getting an out-of-bounds fault.\n\nAdd a warning message if the HID descriptor contains any unsupported\noptional HID class descriptors."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:58:59.055Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/41827a2dbdd7880df9881506dee13bc88d4230bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/1df80d748f984290c895e843401824215dcfbfb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8f842534807985d3a676006d140541b87044345"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fa7831cf0ac71a0a345369d1a6084f2b096e55e"
        },
        {
          "url": "https://git.kernel.org/stable/c/74388368927e9c52a69524af5bbd6c55eb4690de"
        },
        {
          "url": "https://git.kernel.org/stable/c/485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe7f7ac8e0c708446ff017453add769ffc15deed"
        }
      ],
      "title": "HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38103",
    "datePublished": "2025-07-03T08:35:13.941Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-23T15:58:59.055Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38104 (GCVE-0-2025-38104)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-23 15:59

Title

drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV RLCG Register Access is a way for virtual functions to safely access GPU registers in a virtualized environment., including TLB flushes and register reads. When multiple threads or VFs try to access the same registers simultaneously, it can lead to race conditions. By using the RLCG interface, the driver can serialize access to the registers. This means that only one thread can access the registers at a time, preventing conflicts and ensuring that operations are performed correctly. Additionally, when a low-priority task holds a mutex that a high-priority task needs, ie., If a thread holding a spinlock tries to acquire a mutex, it can lead to priority inversion. register access in amdgpu_virt_rlcg_reg_rw especially in a fast code path is critical. The call stack shows that the function amdgpu_virt_rlcg_reg_rw is being called, which attempts to acquire the mutex. This function is invoked from amdgpu_sriov_wreg, which in turn is called from gmc_v11_0_flush_gpu_tlb. The [ BUG: Invalid wait context ] indicates that a thread is trying to acquire a mutex while it is in a context that does not allow it to sleep (like holding a spinlock). Fixes the below: [ 253.013423] ============================= [ 253.013434] [ BUG: Invalid wait context ] [ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE [ 253.013464] ----------------------------- [ 253.013475] kworker/0:1/10 is trying to lock: [ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.013815] other info that might help us debug this: [ 253.013827] context-{4:4} [ 253.013835] 3 locks held by kworker/0:1/10: [ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 [ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 [ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu] [ 253.014154] stack backtrace: [ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 [ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024 [ 253.014224] Workqueue: events work_for_cpu_fn [ 253.014241] Call Trace: [ 253.014250] <TASK> [ 253.014260] dump_stack_lvl+0x9b/0xf0 [ 253.014275] dump_stack+0x10/0x20 [ 253.014287] __lock_acquire+0xa47/0x2810 [ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014321] lock_acquire+0xd1/0x300 [ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014562] ? __lock_acquire+0xa6b/0x2810 [ 253.014578] __mutex_lock+0x85/0xe20 [ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014782] ? sched_clock_noinstr+0x9/0x10 [ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014808] ? local_clock_noinstr+0xe/0xc0 [ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.015029] mutex_lock_nested+0x1b/0x30 [ 253.015044] ? mutex_lock_nested+0x1b/0x30 [ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu] [ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu] [ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu] [ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu] [ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu] [ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu] [ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu] [ 253.0170 ---truncated---

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/dd450b513718dfeb4…
https://git.kernel.org/stable/c/d1bda2ab0cf956a16…
https://git.kernel.org/stable/c/07ed75bfa7ede8bfc…
https://git.kernel.org/stable/c/1c0378830e42c98ac…
https://git.kernel.org/stable/c/5c1741a0c176ae116…
https://git.kernel.org/stable/c/dc0297f3198bd6010…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: f39a3bc42815a7016a915f6cb35e9a1448788f06 , < dd450b513718dfeb4c637c9335d51a55ebcd4320 (git) Affected: 1adb5ebe205e96af77a93512e2d5b8c437548787 , < d1bda2ab0cf956a16dd369a473a6c43dfbed5855 (git) Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < 07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7 (git) Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < 1c0378830e42c98acd69e0289882c8637d92f285 (git) Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < 5c1741a0c176ae11675a64cb7f2dd21d72db6b91 (git) Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < dc0297f3198bd60108ccbd167ee5d9fa4af31ed0 (git) Affected: e1ab38e99d1607f80a1670a399511a56464c0253 (git) Affected: 6.1.105 , < 6.1.162 (semver) Affected: 6.6.46 , < 6.6.123 (semver) Affected: 6.10.5 , < 6.11 (semver)
Linux	Linux	Affected: 6.11 Unaffected: 0 , < 6.11 (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.123 , ≤ 6.6.* (semver) Unaffected: 6.12.39 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd450b513718dfeb4c637c9335d51a55ebcd4320",
              "status": "affected",
              "version": "f39a3bc42815a7016a915f6cb35e9a1448788f06",
              "versionType": "git"
            },
            {
              "lessThan": "d1bda2ab0cf956a16dd369a473a6c43dfbed5855",
              "status": "affected",
              "version": "1adb5ebe205e96af77a93512e2d5b8c437548787",
              "versionType": "git"
            },
            {
              "lessThan": "07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "1c0378830e42c98acd69e0289882c8637d92f285",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "5c1741a0c176ae11675a64cb7f2dd21d72db6b91",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "dc0297f3198bd60108ccbd167ee5d9fa4af31ed0",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e1ab38e99d1607f80a1670a399511a56464c0253",
              "versionType": "git"
            },
            {
              "lessThan": "6.1.162",
              "status": "affected",
              "version": "6.1.105",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.123",
              "status": "affected",
              "version": "6.6.46",
              "versionType": "semver"
            },
            {
              "lessThan": "6.11",
              "status": "affected",
              "version": "6.10.5",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "6.1.105",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.123",
                  "versionStartIncluding": "6.6.46",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV\n\nRLCG Register Access is a way for virtual functions to safely access GPU\nregisters in a virtualized environment., including TLB flushes and\nregister reads. When multiple threads or VFs try to access the same\nregisters simultaneously, it can lead to race conditions. By using the\nRLCG interface, the driver can serialize access to the registers. This\nmeans that only one thread can access the registers at a time,\npreventing conflicts and ensuring that operations are performed\ncorrectly. Additionally, when a low-priority task holds a mutex that a\nhigh-priority task needs, ie., If a thread holding a spinlock tries to\nacquire a mutex, it can lead to priority inversion. register access in\namdgpu_virt_rlcg_reg_rw especially in a fast code path is critical.\n\nThe call stack shows that the function amdgpu_virt_rlcg_reg_rw is being\ncalled, which attempts to acquire the mutex. This function is invoked\nfrom amdgpu_sriov_wreg, which in turn is called from\ngmc_v11_0_flush_gpu_tlb.\n\nThe [ BUG: Invalid wait context ] indicates that a thread is trying to\nacquire a mutex while it is in a context that does not allow it to sleep\n(like holding a spinlock).\n\nFixes the below:\n\n[  253.013423] =============================\n[  253.013434] [ BUG: Invalid wait context ]\n[  253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G     U     OE\n[  253.013464] -----------------------------\n[  253.013475] kworker/0:1/10 is trying to lock:\n[  253.013487] ffff9f30542e3cf8 (\u0026adev-\u003evirt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.013815] other info that might help us debug this:\n[  253.013827] context-{4:4}\n[  253.013835] 3 locks held by kworker/0:1/10:\n[  253.013847]  #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680\n[  253.013877]  #1: ffffb789c008be40 ((work_completion)(\u0026wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680\n[  253.013905]  #2: ffff9f3054281838 (\u0026adev-\u003egmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu]\n[  253.014154] stack backtrace:\n[  253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G     U     OE      6.12.0-amdstaging-drm-next-lol-050225 #14\n[  253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[  253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024\n[  253.014224] Workqueue: events work_for_cpu_fn\n[  253.014241] Call Trace:\n[  253.014250]  \u003cTASK\u003e\n[  253.014260]  dump_stack_lvl+0x9b/0xf0\n[  253.014275]  dump_stack+0x10/0x20\n[  253.014287]  __lock_acquire+0xa47/0x2810\n[  253.014303]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.014321]  lock_acquire+0xd1/0x300\n[  253.014333]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.014562]  ? __lock_acquire+0xa6b/0x2810\n[  253.014578]  __mutex_lock+0x85/0xe20\n[  253.014591]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.014782]  ? sched_clock_noinstr+0x9/0x10\n[  253.014795]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.014808]  ? local_clock_noinstr+0xe/0xc0\n[  253.014822]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.015012]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.015029]  mutex_lock_nested+0x1b/0x30\n[  253.015044]  ? mutex_lock_nested+0x1b/0x30\n[  253.015057]  amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.015249]  amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu]\n[  253.015435]  gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu]\n[  253.015667]  gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu]\n[  253.015901]  ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu]\n[  253.016159]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.016173]  ? smu_hw_init+0x18d/0x300 [amdgpu]\n[  253.016403]  amdgpu_device_init+0x29ad/0x36a0 [amdgpu]\n[  253.016614]  amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu]\n[  253.0170\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:59:00.272Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd450b513718dfeb4c637c9335d51a55ebcd4320"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1bda2ab0cf956a16dd369a473a6c43dfbed5855"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c0378830e42c98acd69e0289882c8637d92f285"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c1741a0c176ae11675a64cb7f2dd21d72db6b91"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc0297f3198bd60108ccbd167ee5d9fa4af31ed0"
        }
      ],
      "title": "drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38104",
    "datePublished": "2025-04-18T07:01:31.091Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-23T15:59:00.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38107 (GCVE-0-2025-38107)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-23 15:59

Title

net_sched: ets: fix a race in ets_qdisc_change()

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/eb7b74e9754e1ba20…
https://git.kernel.org/stable/c/0b479d0aa488cb478…
https://git.kernel.org/stable/c/347867cb424edae5f…
https://git.kernel.org/stable/c/0383b25488a545be1…
https://git.kernel.org/stable/c/073f64c03516bcfaf…
https://git.kernel.org/stable/c/fed94bd51d62d2e0e…
https://git.kernel.org/stable/c/d92adacdd8c2960be…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 699d82e9a6db29d509a71f1f2f4316231e6232e6 , < eb7b74e9754e1ba2088f914ad1f57a778b11894b (git) Affected: ce881ddbdc028fb1988b66e40e45ca0529c23b46 , < 0b479d0aa488cb478eb2e1d8868be946ac8afb4f (git) Affected: b05972f01e7d30419987a1f221b5593668fd6448 , < 347867cb424edae5fec1622712c8dd0a2c42918f (git) Affected: b05972f01e7d30419987a1f221b5593668fd6448 , < 0383b25488a545be168744336847549d4a2d3d6c (git) Affected: b05972f01e7d30419987a1f221b5593668fd6448 , < 073f64c03516bcfaf790f8edc772e0cfb8a84ec3 (git) Affected: b05972f01e7d30419987a1f221b5593668fd6448 , < fed94bd51d62d2e0e006aa61480e94e5cd0582b0 (git) Affected: b05972f01e7d30419987a1f221b5593668fd6448 , < d92adacdd8c2960be856e0b82acc5b7c5395fddb (git) Affected: fffa19b5e58c34004a0d6f642d9c24b11d213994 (git) Affected: fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d (git) Affected: 5.10.142 , < 5.10.239 (semver) Affected: 5.15.66 , < 5.15.186 (semver) Affected: 5.4.213 , < 5.5 (semver) Affected: 5.19.8 , < 5.20 (semver)
Linux	Linux	Affected: 6.0 Unaffected: 0 , < 6.0 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:09.673Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eb7b74e9754e1ba2088f914ad1f57a778b11894b",
              "status": "affected",
              "version": "699d82e9a6db29d509a71f1f2f4316231e6232e6",
              "versionType": "git"
            },
            {
              "lessThan": "0b479d0aa488cb478eb2e1d8868be946ac8afb4f",
              "status": "affected",
              "version": "ce881ddbdc028fb1988b66e40e45ca0529c23b46",
              "versionType": "git"
            },
            {
              "lessThan": "347867cb424edae5fec1622712c8dd0a2c42918f",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "0383b25488a545be168744336847549d4a2d3d6c",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "073f64c03516bcfaf790f8edc772e0cfb8a84ec3",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "fed94bd51d62d2e0e006aa61480e94e5cd0582b0",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "lessThan": "d92adacdd8c2960be856e0b82acc5b7c5395fddb",
              "status": "affected",
              "version": "b05972f01e7d30419987a1f221b5593668fd6448",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fffa19b5e58c34004a0d6f642d9c24b11d213994",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.239",
              "status": "affected",
              "version": "5.10.142",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.186",
              "status": "affected",
              "version": "5.15.66",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.213",
              "versionType": "semver"
            },
            {
              "lessThan": "5.20",
              "status": "affected",
              "version": "5.19.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_ets.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.10.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15.66",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.213",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:59:01.435Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3"
        },
        {
          "url": "https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb"
        }
      ],
      "title": "net_sched: ets: fix a race in ets_qdisc_change()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38107",
    "datePublished": "2025-07-03T08:35:17.487Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-23T15:59:01.435Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38108 (GCVE-0-2025-38108)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21

Title

net_sched: red: fix a race in __red_change()

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/2790c4ec481be45a8…
https://git.kernel.org/stable/c/a1bf6a4e9264a685b…
https://git.kernel.org/stable/c/110a47efcf23438ff…
https://git.kernel.org/stable/c/f569984417a4e12c6…
https://git.kernel.org/stable/c/2a71924ca4af59ffc…
https://git.kernel.org/stable/c/4b755305b2b0618e8…
https://git.kernel.org/stable/c/444ad445df5496a78…
https://git.kernel.org/stable/c/85a3e0ede38450ea3…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < 2790c4ec481be45a80948d059cd7c9a06bc37493 (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < a1bf6a4e9264a685b0e642994031f9c5aad72414 (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < 110a47efcf23438ff8d31dbd9c854fae2a48bf98 (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < f569984417a4e12c67366e69bdcb752970de921d (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < 2a71924ca4af59ffc00f0444732b6cd54b153d0e (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < 4b755305b2b0618e857fdadb499365b5f2e478d1 (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < 444ad445df5496a785705019268a8a84b84484bb (git) Affected: 0c8d13ac96070000da33f394f45e9c19638483c5 , < 85a3e0ede38450ea3053b8c45d28cf55208409b8 (git)
Linux	Linux	Affected: 5.0 Unaffected: 0 , < 5.0 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:11.552Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_red.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2790c4ec481be45a80948d059cd7c9a06bc37493",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "a1bf6a4e9264a685b0e642994031f9c5aad72414",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "110a47efcf23438ff8d31dbd9c854fae2a48bf98",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "f569984417a4e12c67366e69bdcb752970de921d",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "2a71924ca4af59ffc00f0444732b6cd54b153d0e",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "4b755305b2b0618e857fdadb499365b5f2e478d1",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "444ad445df5496a785705019268a8a84b84484bb",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            },
            {
              "lessThan": "85a3e0ede38450ea3053b8c45d28cf55208409b8",
              "status": "affected",
              "version": "0c8d13ac96070000da33f394f45e9c19638483c5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_red.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: red: fix a race in __red_change()\n\nGerrard Tai reported a race condition in RED, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:24.901Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2790c4ec481be45a80948d059cd7c9a06bc37493"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1bf6a4e9264a685b0e642994031f9c5aad72414"
        },
        {
          "url": "https://git.kernel.org/stable/c/110a47efcf23438ff8d31dbd9c854fae2a48bf98"
        },
        {
          "url": "https://git.kernel.org/stable/c/f569984417a4e12c67366e69bdcb752970de921d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a71924ca4af59ffc00f0444732b6cd54b153d0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b755305b2b0618e857fdadb499365b5f2e478d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/444ad445df5496a785705019268a8a84b84484bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/85a3e0ede38450ea3053b8c45d28cf55208409b8"
        }
      ],
      "title": "net_sched: red: fix a race in __red_change()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38108",
    "datePublished": "2025-07-03T08:35:18.523Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-11T21:21:24.901Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38111 (GCVE-0-2025-38111)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-12 12:04

Title

net/mdiobus: Fix potential out-of-bounds read/write access

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/19c5875e26c4ed568…
https://git.kernel.org/stable/c/014ad9210373d2104…
https://git.kernel.org/stable/c/73d478234a619f347…
https://git.kernel.org/stable/c/bab6bca0834cbb5be…
https://git.kernel.org/stable/c/b02d9d2732483e670…
https://git.kernel.org/stable/c/049af7ac45a6b4077…
https://git.kernel.org/stable/c/0e629694126ca3889…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 19c5875e26c4ed5686d82a7d8f7051385461b9eb (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 014ad9210373d2104f6ef10e6bb999a7a0a4c50e (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 73d478234a619f3476028cb02dee699c30ae8262 (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < bab6bca0834cbb5be2a7cfe59ec6ad016ec72608 (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < b02d9d2732483e670bc34cb233d28e1d43b15da4 (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 049af7ac45a6b407748ee0995278fd861e36df8f (git) Affected: 080bb352fad00d04995102f681b134e3754bfb6e , < 0e629694126ca388916f059453a1c36adde219c4 (git)
Linux	Linux	Affected: 5.6 Unaffected: 0 , < 5.6 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:13.486Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:31.808Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19c5875e26c4ed5686d82a7d8f7051385461b9eb",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "014ad9210373d2104f6ef10e6bb999a7a0a4c50e",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "73d478234a619f3476028cb02dee699c30ae8262",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "bab6bca0834cbb5be2a7cfe59ec6ad016ec72608",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "b02d9d2732483e670bc34cb233d28e1d43b15da4",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "049af7ac45a6b407748ee0995278fd861e36df8f",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            },
            {
              "lessThan": "0e629694126ca388916f059453a1c36adde219c4",
              "status": "affected",
              "version": "080bb352fad00d04995102f681b134e3754bfb6e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/mdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via mdiobus, there is no verification of\nparameters passed to the ioctl and it accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:28.355Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e"
        },
        {
          "url": "https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262"
        },
        {
          "url": "https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608"
        },
        {
          "url": "https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4"
        },
        {
          "url": "https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4"
        }
      ],
      "title": "net/mdiobus: Fix potential out-of-bounds read/write access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38111",
    "datePublished": "2025-07-03T08:35:20.643Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-12T12:04:31.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38112 (GCVE-0-2025-38112)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21

Title

net: Fix TOCTOU issue in sk_is_readable()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check.

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/c2b26638476baee15…
https://git.kernel.org/stable/c/6fa68d7eab34d448a…
https://git.kernel.org/stable/c/8926a7ef1977a832d…
https://git.kernel.org/stable/c/ff55c85a923e043d5…
https://git.kernel.org/stable/c/1e0de7582ceccbdbb…
https://git.kernel.org/stable/c/1b367ba2f94251822…
https://git.kernel.org/stable/c/2660a544fdc0940bb…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < c2b26638476baee154920bb587fc94ff1bf04336 (git) Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < 6fa68d7eab34d448a61aa24ea31e68b3231ed20d (git) Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < 8926a7ef1977a832dd6bf702f1a99303dbf15b15 (git) Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < ff55c85a923e043d59d26b20a673a1b4a219c310 (git) Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < 1e0de7582ceccbdbb227d4e0ddf65732f92526da (git) Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < 1b367ba2f94251822577daed031d6b9a9e11ba91 (git) Affected: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 , < 2660a544fdc0940bba15f70508a46cf9a6491230 (git)
Linux	Linux	Affected: 4.17 Unaffected: 0 , < 4.17 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:15.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/sock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2b26638476baee154920bb587fc94ff1bf04336",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            },
            {
              "lessThan": "6fa68d7eab34d448a61aa24ea31e68b3231ed20d",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            },
            {
              "lessThan": "8926a7ef1977a832dd6bf702f1a99303dbf15b15",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            },
            {
              "lessThan": "ff55c85a923e043d59d26b20a673a1b4a219c310",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            },
            {
              "lessThan": "1e0de7582ceccbdbb227d4e0ddf65732f92526da",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            },
            {
              "lessThan": "1b367ba2f94251822577daed031d6b9a9e11ba91",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            },
            {
              "lessThan": "2660a544fdc0940bba15f70508a46cf9a6491230",
              "status": "affected",
              "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/sock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix TOCTOU issue in sk_is_readable()\n\nsk-\u003esk_prot-\u003esock_is_readable is a valid function pointer when sk resides\nin a sockmap. After the last sk_psock_put() (which usually happens when\nsocket is removed from sockmap), sk-\u003esk_prot gets restored and\nsk-\u003esk_prot-\u003esock_is_readable becomes NULL.\n\nThis makes sk_is_readable() racy, if the value of sk-\u003esk_prot is reloaded\nafter the initial check. Which in turn may lead to a null pointer\ndereference.\n\nEnsure the function pointer does not turn NULL after the check."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:29.520Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2b26638476baee154920bb587fc94ff1bf04336"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fa68d7eab34d448a61aa24ea31e68b3231ed20d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8926a7ef1977a832dd6bf702f1a99303dbf15b15"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff55c85a923e043d59d26b20a673a1b4a219c310"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e0de7582ceccbdbb227d4e0ddf65732f92526da"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b367ba2f94251822577daed031d6b9a9e11ba91"
        },
        {
          "url": "https://git.kernel.org/stable/c/2660a544fdc0940bba15f70508a46cf9a6491230"
        }
      ],
      "title": "net: Fix TOCTOU issue in sk_is_readable()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38112",
    "datePublished": "2025-07-03T08:35:21.276Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-05-11T21:21:29.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38113 (GCVE-0-2025-38113)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21

Title

ACPI: CPPC: Fix NULL pointer dereference when nosmp is used

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ]

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/356d09c7f5bf52508…
https://git.kernel.org/stable/c/c6dad167aade4bf0b…
https://git.kernel.org/stable/c/32a48db4cf28ea087…
https://git.kernel.org/stable/c/1a677d0ceb4a5d621…
https://git.kernel.org/stable/c/15eece6c5b05e5f9d…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 , < 356d09c7f5bf525086002a34f8bae40b134d1611 (git) Affected: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 , < c6dad167aade4bf0bef9130f2f149f4249fc4ad0 (git) Affected: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 , < 32a48db4cf28ea087214c261da8476db218d08bd (git) Affected: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 , < 1a677d0ceb4a5d62117b711a8b2e0aee80d33015 (git) Affected: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 , < 15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12 (git)
Linux	Linux	Affected: 5.19 Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:16.439Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/cppc_acpi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "356d09c7f5bf525086002a34f8bae40b134d1611",
              "status": "affected",
              "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129",
              "versionType": "git"
            },
            {
              "lessThan": "c6dad167aade4bf0bef9130f2f149f4249fc4ad0",
              "status": "affected",
              "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129",
              "versionType": "git"
            },
            {
              "lessThan": "32a48db4cf28ea087214c261da8476db218d08bd",
              "status": "affected",
              "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129",
              "versionType": "git"
            },
            {
              "lessThan": "1a677d0ceb4a5d62117b711a8b2e0aee80d33015",
              "status": "affected",
              "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129",
              "versionType": "git"
            },
            {
              "lessThan": "15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12",
              "status": "affected",
              "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/cppc_acpi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Fix NULL pointer dereference when nosmp is used\n\nWith nosmp in cmdline, other CPUs are not brought up, leaving\ntheir cpc_desc_ptr NULL. CPU0\u0027s iteration via for_each_possible_cpu()\ndereferences these NULL pointers, causing panic.\n\nPanic backtrace:\n\n[    0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8\n...\n[    0.403255] [\u003cffffffff809a5818\u003e] cppc_allow_fast_switch+0x6a/0xd4\n...\nKernel panic - not syncing: Attempted to kill init!\n\n[ rjw: New subject ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:30.642Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/356d09c7f5bf525086002a34f8bae40b134d1611"
        },
        {
          "url": "https://git.kernel.org/stable/c/c6dad167aade4bf0bef9130f2f149f4249fc4ad0"
        },
        {
          "url": "https://git.kernel.org/stable/c/32a48db4cf28ea087214c261da8476db218d08bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a677d0ceb4a5d62117b711a8b2e0aee80d33015"
        },
        {
          "url": "https://git.kernel.org/stable/c/15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12"
        }
      ],
      "title": "ACPI: CPPC: Fix NULL pointer dereference when nosmp is used",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38113",
    "datePublished": "2025-07-03T08:35:22.207Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2026-05-11T21:21:30.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38115 (GCVE-0-2025-38115)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21

Title

net_sched: sch_sfq: fix a potential crash on gso_skb handling

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 &

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/c337efb20d6d9f9bb…
https://git.kernel.org/stable/c/b44f791f27b14c9eb…
https://git.kernel.org/stable/c/5814a7fc3abb41f63…
https://git.kernel.org/stable/c/9c19498bdd7cb9d85…
https://git.kernel.org/stable/c/b4e9bab6011b9559b…
https://git.kernel.org/stable/c/d1bc80da75c789f2f…
https://git.kernel.org/stable/c/82448d4dcd8406dec…
https://git.kernel.org/stable/c/82ffbe7776d0ac084…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < c337efb20d6d9f9bbb4746f6b119917af5c886dc (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < b44f791f27b14c9eb6b907fbe51f2ba8bec32085 (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < 5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72 (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < 9c19498bdd7cb9d854bd3c54260f71cf7408495e (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < b4e9bab6011b9559b7c157b16b91ae46d4d8c533 (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < d1bc80da75c789f2f6830df89d91fb2f7a509943 (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < 82448d4dcd8406dec688632a405fdcf7f170ec69 (git) Affected: a53851e2c3218aa30b77abd6e68cf1c371f15afe , < 82ffbe7776d0ac084031f114167712269bf3d832 (git)
Linux	Linux	Affected: 4.16 Unaffected: 0 , < 4.16 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:18.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c337efb20d6d9f9bbb4746f6b119917af5c886dc",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "b44f791f27b14c9eb6b907fbe51f2ba8bec32085",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "9c19498bdd7cb9d854bd3c54260f71cf7408495e",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "b4e9bab6011b9559b7c157b16b91ae46d4d8c533",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "d1bc80da75c789f2f6830df89d91fb2f7a509943",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "82448d4dcd8406dec688632a405fdcf7f170ec69",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            },
            {
              "lessThan": "82ffbe7776d0ac084031f114167712269bf3d832",
              "status": "affected",
              "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: fix a potential crash on gso_skb handling\n\nSFQ has an assumption of always being able to queue at least one packet.\n\nHowever, after the blamed commit, sch-\u003eq.len can be inflated by packets\nin sch-\u003egso_skb, and an enqueue() on an empty SFQ qdisc can be followed\nby an immediate drop.\n\nFix sfq_drop() to properly clear q-\u003etail in this situation.\n\n\nip netns add lb\nip link add dev to-lb type veth peer name in-lb netns lb\nethtool -K to-lb tso off                 # force qdisc to requeue gso_skb\nip netns exec lb ethtool -K in-lb gro on # enable NAPI\nip link set dev to-lb up\nip -netns lb link set dev in-lb up\nip addr add dev to-lb 192.168.20.1/24\nip -netns lb addr add dev in-lb 192.168.20.2/24\ntc qdisc replace dev to-lb root sfq limit 100\n\nip netns exec lb netserver\n\nnetperf -H 192.168.20.2 -l 100 \u0026\nnetperf -H 192.168.20.2 -l 100 \u0026\nnetperf -H 192.168.20.2 -l 100 \u0026\nnetperf -H 192.168.20.2 -l 100 \u0026"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:32.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c337efb20d6d9f9bbb4746f6b119917af5c886dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/b44f791f27b14c9eb6b907fbe51f2ba8bec32085"
        },
        {
          "url": "https://git.kernel.org/stable/c/5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c19498bdd7cb9d854bd3c54260f71cf7408495e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4e9bab6011b9559b7c157b16b91ae46d4d8c533"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1bc80da75c789f2f6830df89d91fb2f7a509943"
        },
        {
          "url": "https://git.kernel.org/stable/c/82448d4dcd8406dec688632a405fdcf7f170ec69"
        },
        {
          "url": "https://git.kernel.org/stable/c/82ffbe7776d0ac084031f114167712269bf3d832"
        }
      ],
      "title": "net_sched: sch_sfq: fix a potential crash on gso_skb handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38115",
    "datePublished": "2025-07-03T08:35:23.750Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2026-05-11T21:21:32.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38118 (GCVE-0-2025-38118)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21

Title

Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/3c9aba9cbdf163e26…
https://git.kernel.org/stable/c/9f66b6531c2b4e996…
https://git.kernel.org/stable/c/9df3e5e7f7e4653fd…
https://git.kernel.org/stable/c/32aa2fbe319f33b03…
https://git.kernel.org/stable/c/e6ed54e86aae9e4f7…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 3c9aba9cbdf163e2654be9f82d43ff8a04273962 (git) Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 9f66b6531c2b4e996bb61720ee94adb4b2e8d1be (git) Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 9df3e5e7f7e4653fd9802878cedc36defc5ef42d (git) Affected: 66bd095ab5d408af106808cce302406542f70f65 , < 32aa2fbe319f33b0318ec6f4fceb63879771a286 (git) Affected: 66bd095ab5d408af106808cce302406542f70f65 , < e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c (git)
Linux	Linux	Affected: 5.12 Unaffected: 0 , < 5.12 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:19.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/hci_core.h",
            "net/bluetooth/hci_core.c",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c9aba9cbdf163e2654be9f82d43ff8a04273962",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "9f66b6531c2b4e996bb61720ee94adb4b2e8d1be",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "9df3e5e7f7e4653fd9802878cedc36defc5ef42d",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "32aa2fbe319f33b0318ec6f4fceb63879771a286",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            },
            {
              "lessThan": "e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c",
              "status": "affected",
              "version": "66bd095ab5d408af106808cce302406542f70f65",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/hci_core.h",
            "net/bluetooth/hci_core.c",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete\n\nThis reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to\navoid crashes like bellow:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\nRead of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341\n\nCPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\n hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 5987:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252\n mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279\n remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x548/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5989:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2380 [inline]\n slab_free mm/slub.c:4642 [inline]\n kfree+0x18e/0x440 mm/slub.c:4841\n mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242\n mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314\n __sys_bind_socket net/socket.c:1810 [inline]\n __sys_bind+0x2c3/0x3e0 net/socket.c:1841\n __do_sys_bind net/socket.c:1846 [inline]\n __se_sys_bind net/socket.c:1844 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1844\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:21:36.285Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c9aba9cbdf163e2654be9f82d43ff8a04273962"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f66b6531c2b4e996bb61720ee94adb4b2e8d1be"
        },
        {
          "url": "https://git.kernel.org/stable/c/9df3e5e7f7e4653fd9802878cedc36defc5ef42d"
        },
        {
          "url": "https://git.kernel.org/stable/c/32aa2fbe319f33b0318ec6f4fceb63879771a286"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c"
        }
      ],
      "title": "Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38118",
    "datePublished": "2025-07-03T08:35:25.992Z",
    "dateReserved": "2025-04-16T04:51:23.986Z",
    "dateUpdated": "2026-05-11T21:21:36.285Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0698

Solutions

CVE-2025-38102 (GCVE-0-2025-38102)

CVE-2025-38103 (GCVE-0-2025-38103)

CVE-2025-38104 (GCVE-0-2025-38104)

CVE-2025-38107 (GCVE-0-2025-38107)

CVE-2025-38108 (GCVE-0-2025-38108)

CVE-2025-38111 (GCVE-0-2025-38111)

CVE-2025-38112 (GCVE-0-2025-38112)

CVE-2025-38113 (GCVE-0-2025-38113)

CVE-2025-38115 (GCVE-0-2025-38115)

CVE-2025-38118 (GCVE-0-2025-38118)

Tags

Sightings

Nomenclature