Vulnerability-Lookup

CERTFR-2025-AVI-0698

Vulnerability from certfr_avis - Published: 2025-08-14 - Updated: 2025-08-14

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian bookworm versions antérieures à 6.1.147-1
	Debian	Debian	Debian trixie versions antérieures à 6.12.41-1

References

Title

Publication Time

CVE-2025-38159 (GCVE-0-2025-38159)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/1ee8ea6937d13b20f…
https://git.kernel.org/stable/c/68a1037f0bac4de9a…
https://git.kernel.org/stable/c/74e18211c2c89ab66…
https://git.kernel.org/stable/c/c13255389499275bc…
https://git.kernel.org/stable/c/9febcc8bded8be0d7…
https://git.kernel.org/stable/c/4c2c372de2e108319…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 1ee8ea6937d13b20f90ff35d71ccc03ba448182d (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 68a1037f0bac4de9a585aa9c879ef886109f3647 (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 74e18211c2c89ab66c9546baa7408288db61aa0d (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < c13255389499275bc5489a0b5b7940ccea3aef04 (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 9febcc8bded8be0d7efd8237fcef599b6d93b788 (git) Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 4c2c372de2e108319236203cce6de44d70ae15cd (git)
Linux	Linux	Affected: 5.4 Unaffected: 0 , < 5.4 (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:48.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/coex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ee8ea6937d13b20f90ff35d71ccc03ba448182d",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "68a1037f0bac4de9a585aa9c879ef886109f3647",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "74e18211c2c89ab66c9546baa7408288db61aa0d",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "c13255389499275bc5489a0b5b7940ccea3aef04",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "9febcc8bded8be0d7efd8237fcef599b6d93b788",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "4c2c372de2e108319236203cce6de44d70ae15cd",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/coex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since \u0027para\u0027 array is passed to\n\u0027rtw_fw_bt_wifi_control(rtwdev, para[0], \u0026para[1])\u0027, which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n    ...\n    SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n    SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n    ...\n    SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:24.170Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d"
        },
        {
          "url": "https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647"
        },
        {
          "url": "https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04"
        },
        {
          "url": "https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd"
        }
      ],
      "title": "wifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38159",
    "datePublished": "2025-07-03T08:36:01.490Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2026-05-11T21:22:24.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38160 (GCVE-0-2025-38160)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue.

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/938f625bd3364cfdc…
https://git.kernel.org/stable/c/54ce9bcdaee59d4ef…
https://git.kernel.org/stable/c/52562161df3567cda…
https://git.kernel.org/stable/c/3c1adc2f8c732ea09…
https://git.kernel.org/stable/c/0a2712cd24ecfeb52…
https://git.kernel.org/stable/c/1b69a5299f28ce8e6…
https://git.kernel.org/stable/c/73c46d9a93d071ca6…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 938f625bd3364cfdc93916739add3b637ff90368 (git) Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 54ce9bcdaee59d4ef0703f390d55708557818f9e (git) Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 52562161df3567cdaedada46834a7a8d8c4ab737 (git) Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 3c1adc2f8c732ea09e8c4bce5941fec019c6205d (git) Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 0a2712cd24ecfeb520af60f6f859b442c7ab01ff (git) Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f (git) Affected: 93d2725affd65686792f4b57e49ef660f3c8c0f9 , < 73c46d9a93d071ca69858dea3f569111b03e549e (git)
Linux	Linux	Affected: 5.9 Unaffected: 0 , < 5.9 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:50.105Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/bcm/clk-raspberrypi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "938f625bd3364cfdc93916739add3b637ff90368",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            },
            {
              "lessThan": "54ce9bcdaee59d4ef0703f390d55708557818f9e",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            },
            {
              "lessThan": "52562161df3567cdaedada46834a7a8d8c4ab737",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            },
            {
              "lessThan": "3c1adc2f8c732ea09e8c4bce5941fec019c6205d",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            },
            {
              "lessThan": "0a2712cd24ecfeb520af60f6f859b442c7ab01ff",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            },
            {
              "lessThan": "1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            },
            {
              "lessThan": "73c46d9a93d071ca69858dea3f569111b03e549e",
              "status": "affected",
              "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/bcm/clk-raspberrypi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Add NULL check in raspberrypi_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nraspberrypi_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:25.302Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/938f625bd3364cfdc93916739add3b637ff90368"
        },
        {
          "url": "https://git.kernel.org/stable/c/54ce9bcdaee59d4ef0703f390d55708557818f9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/52562161df3567cdaedada46834a7a8d8c4ab737"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c1adc2f8c732ea09e8c4bce5941fec019c6205d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a2712cd24ecfeb520af60f6f859b442c7ab01ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f"
        },
        {
          "url": "https://git.kernel.org/stable/c/73c46d9a93d071ca69858dea3f569111b03e549e"
        }
      ],
      "title": "clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38160",
    "datePublished": "2025-07-03T08:36:02.357Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2026-05-11T21:22:25.302Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38161 (GCVE-0-2025-38161)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8

Severity

No CVSS data available.

Assigner

Linux

References

9 references

URL	Tags
https://git.kernel.org/stable/c/26d2f662d3a6655a8…
https://git.kernel.org/stable/c/f9784da76ad7be662…
https://git.kernel.org/stable/c/cf32affe6f3801cfb…
https://git.kernel.org/stable/c/7c4c84cdcc19e89d4…
https://git.kernel.org/stable/c/50ac361ff8914133e…
https://git.kernel.org/stable/c/0a7790cbba654e925…
https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebd…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 26d2f662d3a6655a82fd8a287e8b1ce471567f36 (git) Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < f9784da76ad7be66230e829e743bdf68a2c49e56 (git) Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < cf32affe6f3801cfb72a65e69c4bc7a8ee9be100 (git) Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 7c4c84cdcc19e89d42f6bf117238e5471173423e (git) Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 50ac361ff8914133e3cf6ef184bac90c22cb8d79 (git) Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 0a7790cbba654e925243571cf2f24d61603d3ed3 (git) Affected: e2013b212f9f201c71fc5826ce41f39ebece0852 , < 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 (git)
Linux	Linux	Affected: 4.5 Unaffected: 0 , < 4.5 (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:52.048Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/qpc.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26d2f662d3a6655a82fd8a287e8b1ce471567f36",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "f9784da76ad7be66230e829e743bdf68a2c49e56",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "cf32affe6f3801cfb72a65e69c4bc7a8ee9be100",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "7c4c84cdcc19e89d42f6bf117238e5471173423e",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "50ac361ff8914133e3cf6ef184bac90c22cb8d79",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "0a7790cbba654e925243571cf2f24d61603d3ed3",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            },
            {
              "lessThan": "5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6",
              "status": "affected",
              "version": "e2013b212f9f201c71fc5826ce41f39ebece0852",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/qpc.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error flow upon firmware failure for RQ destruction\n\nUpon RQ destruction if the firmware command fails which is the\nlast resource to be destroyed some SW resources were already cleaned\nregardless of the failure.\n\nNow properly rollback the object to its original state upon such failure.\n\nIn order to avoid a use-after free in case someone tries to destroy the\nobject again, which results in the following kernel trace:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148\nModules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)\nCPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G           OE     -------  ---  6.12.0-54.el10.aarch64 #1\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : refcount_warn_saturate+0xf4/0x148\nlr : refcount_warn_saturate+0xf4/0x148\nsp : ffff80008b81b7e0\nx29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001\nx26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00\nx23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000\nx20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006\nx17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f\nx14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78\nx11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90\nx8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff\nx5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600\nCall trace:\n refcount_warn_saturate+0xf4/0x148\n mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]\n mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]\n mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]\n ib_destroy_wq_user+0x30/0xc0 [ib_core]\n uverbs_free_wq+0x28/0x58 [ib_uverbs]\n destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]\n uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]\n __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]\n ib_uverbs_close+0x2c/0x100 [ib_uverbs]\n __fput+0xd8/0x2f0\n __fput_sync+0x50/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall.constprop.0+0x74/0xd0\n do_el0_svc+0x48/0xe8\n el0_svc+0x44/0x1d0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x1a4/0x1a8"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:26.528Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26d2f662d3a6655a82fd8a287e8b1ce471567f36"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9784da76ad7be66230e829e743bdf68a2c49e56"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf32affe6f3801cfb72a65e69c4bc7a8ee9be100"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c4c84cdcc19e89d42f6bf117238e5471173423e"
        },
        {
          "url": "https://git.kernel.org/stable/c/50ac361ff8914133e3cf6ef184bac90c22cb8d79"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a7790cbba654e925243571cf2f24d61603d3ed3"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6"
        }
      ],
      "title": "RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38161",
    "datePublished": "2025-07-03T08:36:03.087Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2026-05-11T21:22:26.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38163 (GCVE-0-2025-38163)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

f2fs: fix to do sanity check on sbi->total_valid_block_count

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/49bc7bf38e42cfa64…
https://git.kernel.org/stable/c/f1b743c1955151bd3…
https://git.kernel.org/stable/c/6a324d77f7ea1a91d…
https://git.kernel.org/stable/c/25f3776b58c1c45ad…
https://git.kernel.org/stable/c/a39cc43efc1bca74e…
https://git.kernel.org/stable/c/65b3f76592aed5a43…
https://git.kernel.org/stable/c/ccc28c0397f75a3ec…
https://git.kernel.org/stable/c/05872a167c2cab80e…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < 49bc7bf38e42cfa642787e947f5721696ea73ac3 (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < f1b743c1955151bd392539b739a3ad155296be13 (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < 6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < 25f3776b58c1c45ad2e50ab4b263505b4d2378ca (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < a39cc43efc1bca74ed9d6cf9e60b995071f7d178 (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < 65b3f76592aed5a43c4d79375ac097acf975972b (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < ccc28c0397f75a3ec9539cceed9db014d7b73869 (git) Affected: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 , < 05872a167c2cab80ef186ef23cc34a6776a1a30c (git)
Linux	Linux	Affected: 3.8 Unaffected: 0 , < 3.8 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:53.978Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/f2fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "49bc7bf38e42cfa642787e947f5721696ea73ac3",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "f1b743c1955151bd392539b739a3ad155296be13",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "25f3776b58c1c45ad2e50ab4b263505b4d2378ca",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "a39cc43efc1bca74ed9d6cf9e60b995071f7d178",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "65b3f76592aed5a43c4d79375ac097acf975972b",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "ccc28c0397f75a3ec9539cceed9db014d7b73869",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            },
            {
              "lessThan": "05872a167c2cab80ef186ef23cc34a6776a1a30c",
              "status": "affected",
              "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/f2fs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sbi-\u003etotal_valid_block_count\n\nsyzbot reported a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/f2fs.h:2521!\nRIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521\nCall Trace:\n f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695\n truncate_dnode+0x417/0x740 fs/f2fs/node.c:973\n truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014\n f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197\n f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888\n f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112\n notify_change+0xbca/0xe90 fs/attr.c:552\n do_truncate+0x222/0x310 fs/open.c:65\n handle_truncate fs/namei.c:3466 [inline]\n do_open fs/namei.c:3849 [inline]\n path_openat+0x2e4f/0x35d0 fs/namei.c:4004\n do_filp_open+0x284/0x4e0 fs/namei.c:4031\n do_sys_openat2+0x12b/0x1d0 fs/open.c:1429\n do_sys_open fs/open.c:1444 [inline]\n __do_sys_creat fs/open.c:1522 [inline]\n __se_sys_creat fs/open.c:1516 [inline]\n __x64_sys_creat+0x124/0x170 fs/open.c:1516\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94\n\nThe reason is: in fuzzed image, sbi-\u003etotal_valid_block_count is\ninconsistent w/ mapped blocks indexed by inode, so, we should\nnot trigger panic for such case, instead, let\u0027s print log and\nset fsck flag."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:28.872Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/49bc7bf38e42cfa642787e947f5721696ea73ac3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1b743c1955151bd392539b739a3ad155296be13"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d"
        },
        {
          "url": "https://git.kernel.org/stable/c/25f3776b58c1c45ad2e50ab4b263505b4d2378ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/a39cc43efc1bca74ed9d6cf9e60b995071f7d178"
        },
        {
          "url": "https://git.kernel.org/stable/c/65b3f76592aed5a43c4d79375ac097acf975972b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccc28c0397f75a3ec9539cceed9db014d7b73869"
        },
        {
          "url": "https://git.kernel.org/stable/c/05872a167c2cab80ef186ef23cc34a6776a1a30c"
        }
      ],
      "title": "f2fs: fix to do sanity check on sbi-\u003etotal_valid_block_count",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38163",
    "datePublished": "2025-07-03T08:36:04.397Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-11T21:22:28.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38165 (GCVE-0-2025-38165)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-23 15:59

Title

bpf, sockmap: Fix panic when calling skb_linearize

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] <TASK> [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The "--rx-strp 100000" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/4dba44333a11522df…
https://git.kernel.org/stable/c/9718ba6490732dbe7…
https://git.kernel.org/stable/c/db1d15a26f21f9745…
https://git.kernel.org/stable/c/3d25fa2d7f127348c…
https://git.kernel.org/stable/c/e9c1299d813fc0466…
https://git.kernel.org/stable/c/5ca2e29f6834c64c0…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 65ad600b9bde68d2d28709943ab00b51ca8f0a1d , < 4dba44333a11522df54b49aa1f2edfaf6ce35fc7 (git) Affected: 923877254f002ae87d441382bb1096d9e773d56d , < 9718ba6490732dbe70190d42c21deb1440834402 (git) Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < db1d15a26f21f97459508c42ae87cabe8d3afc3b (git) Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < 3d25fa2d7f127348c818e1dab9e58534f7ac56cc (git) Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < e9c1299d813fc04668042690f2c3cc76d013959a (git) Affected: a454d84ee20baf7bd7be90721b9821f73c7d23d9 , < 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e (git) Affected: e6b5e47adb9166e732cdf7e6e034946e3f89f36d (git) Affected: 5.15.189 , < 5.15.190 (semver) Affected: 6.1.54 , < 6.1.142 (semver) Affected: 6.5.4 , < 6.6 (semver)
Linux	Linux	Affected: 6.6 Unaffected: 0 , < 6.6 (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:54.924Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/skmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4dba44333a11522df54b49aa1f2edfaf6ce35fc7",
              "status": "affected",
              "version": "65ad600b9bde68d2d28709943ab00b51ca8f0a1d",
              "versionType": "git"
            },
            {
              "lessThan": "9718ba6490732dbe70190d42c21deb1440834402",
              "status": "affected",
              "version": "923877254f002ae87d441382bb1096d9e773d56d",
              "versionType": "git"
            },
            {
              "lessThan": "db1d15a26f21f97459508c42ae87cabe8d3afc3b",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "lessThan": "3d25fa2d7f127348c818e1dab9e58534f7ac56cc",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "lessThan": "e9c1299d813fc04668042690f2c3cc76d013959a",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "lessThan": "5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e",
              "status": "affected",
              "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e6b5e47adb9166e732cdf7e6e034946e3f89f36d",
              "versionType": "git"
            },
            {
              "lessThan": "5.15.190",
              "status": "affected",
              "version": "5.15.189",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.142",
              "status": "affected",
              "version": "6.1.54",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6",
              "status": "affected",
              "version": "6.5.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/skmsg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "6.1.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n\u0027\u0027\u0027\n[  657.460555] kernel BUG at net/core/skbuff.c:2178!\n[  657.462680] Tainted: [W]=WARN\n[  657.463287] Workqueue: events sk_psock_backlog\n...\n[  657.469610]  \u003cTASK\u003e\n[  657.469738]  ? die+0x36/0x90\n[  657.469916]  ? do_trap+0x1d0/0x270\n[  657.470118]  ? pskb_expand_head+0x612/0xf40\n[  657.470376]  ? pskb_expand_head+0x612/0xf40\n[  657.470620]  ? do_error_trap+0xa3/0x170\n[  657.470846]  ? pskb_expand_head+0x612/0xf40\n[  657.471092]  ? handle_invalid_op+0x2c/0x40\n[  657.471335]  ? pskb_expand_head+0x612/0xf40\n[  657.471579]  ? exc_invalid_op+0x2d/0x40\n[  657.471805]  ? asm_exc_invalid_op+0x1a/0x20\n[  657.472052]  ? pskb_expand_head+0xd1/0xf40\n[  657.472292]  ? pskb_expand_head+0x612/0xf40\n[  657.472540]  ? lock_acquire+0x18f/0x4e0\n[  657.472766]  ? find_held_lock+0x2d/0x110\n[  657.472999]  ? __pfx_pskb_expand_head+0x10/0x10\n[  657.473263]  ? __kmalloc_cache_noprof+0x5b/0x470\n[  657.473537]  ? __pfx___lock_release.isra.0+0x10/0x10\n[  657.473826]  __pskb_pull_tail+0xfd/0x1d20\n[  657.474062]  ? __kasan_slab_alloc+0x4e/0x90\n[  657.474707]  sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[  657.475392]  ? __kasan_kmalloc+0xaa/0xb0\n[  657.476010]  sk_psock_backlog+0x5cf/0xd70\n[  657.476637]  process_one_work+0x858/0x1a20\n\u0027\u0027\u0027\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n\u0027\u0027\u0027\nsk_psock_backlog:\n    sk_psock_handle_skb\n       skb_get(skb) \u003c== we move it into \u0027sk_psock_skb_ingress_enqueue\u0027\n       sk_psock_skb_ingress____________\n                                       \u2193\n                                       |\n                                       | \u2192 sk_psock_skb_ingress_self\n                                       |      sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________\u2191          skb_linearize\n\u0027\u0027\u0027\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add \u0027take_ref\u0027 param to control it\u0027s behavior."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:59:09.438Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402"
        },
        {
          "url": "https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e"
        }
      ],
      "title": "bpf, sockmap: Fix panic when calling skb_linearize",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38165",
    "datePublished": "2025-07-03T08:36:05.738Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-23T15:59:09.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38166 (GCVE-0-2025-38166)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

bpf: fix ktls panic with sockmap

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] <TASK> [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: "abc?de?fgh?". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes "?fgh?" will be cached until the length meets the cork_bytes requirement. However, some data in "?fgh?" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data "?" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { if (ret == -ENOSPC) ret = 0; goto send_end; ''' So it's ok to just return 'copied' without error when a "cork" situation occurs.

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/328cac3f9f8ae3947…
https://git.kernel.org/stable/c/2e36a81d388ec9c3f…
https://git.kernel.org/stable/c/57fbbe29e86042bba…
https://git.kernel.org/stable/c/603943f022a7fe5cc…
https://git.kernel.org/stable/c/54a3ecaeeeae8176d…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca , < 328cac3f9f8ae394748485e769a527518a9137c8 (git) Affected: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca , < 2e36a81d388ec9c3f78b6223f7eda2088cd40adb (git) Affected: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca , < 57fbbe29e86042bbaa31c1a30d2afa16c427e3f7 (git) Affected: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca , < 603943f022a7fe5cc83ca7005faf34798fb7853f (git) Affected: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca , < 54a3ecaeeeae8176da8badbd7d72af1017032c39 (git)
Linux	Linux	Affected: 4.20 Unaffected: 0 , < 4.20 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:55.864Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "328cac3f9f8ae394748485e769a527518a9137c8",
              "status": "affected",
              "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca",
              "versionType": "git"
            },
            {
              "lessThan": "2e36a81d388ec9c3f78b6223f7eda2088cd40adb",
              "status": "affected",
              "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca",
              "versionType": "git"
            },
            {
              "lessThan": "57fbbe29e86042bbaa31c1a30d2afa16c427e3f7",
              "status": "affected",
              "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca",
              "versionType": "git"
            },
            {
              "lessThan": "603943f022a7fe5cc83ca7005faf34798fb7853f",
              "status": "affected",
              "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca",
              "versionType": "git"
            },
            {
              "lessThan": "54a3ecaeeeae8176da8badbd7d72af1017032c39",
              "status": "affected",
              "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix ktls panic with sockmap\n\n[ 2172.936997] ------------[ cut here ]------------\n[ 2172.936999] kernel BUG at lib/iov_iter.c:629!\n......\n[ 2172.944996] PKRU: 55555554\n[ 2172.945155] Call Trace:\n[ 2172.945299]  \u003cTASK\u003e\n[ 2172.945428]  ? die+0x36/0x90\n[ 2172.945601]  ? do_trap+0xdd/0x100\n[ 2172.945795]  ? iov_iter_revert+0x178/0x180\n[ 2172.946031]  ? iov_iter_revert+0x178/0x180\n[ 2172.946267]  ? do_error_trap+0x7d/0x110\n[ 2172.946499]  ? iov_iter_revert+0x178/0x180\n[ 2172.946736]  ? exc_invalid_op+0x50/0x70\n[ 2172.946961]  ? iov_iter_revert+0x178/0x180\n[ 2172.947197]  ? asm_exc_invalid_op+0x1a/0x20\n[ 2172.947446]  ? iov_iter_revert+0x178/0x180\n[ 2172.947683]  ? iov_iter_revert+0x5c/0x180\n[ 2172.947913]  tls_sw_sendmsg_locked.isra.0+0x794/0x840\n[ 2172.948206]  tls_sw_sendmsg+0x52/0x80\n[ 2172.948420]  ? inet_sendmsg+0x1f/0x70\n[ 2172.948634]  __sys_sendto+0x1cd/0x200\n[ 2172.948848]  ? find_held_lock+0x2b/0x80\n[ 2172.949072]  ? syscall_trace_enter+0x140/0x270\n[ 2172.949330]  ? __lock_release.isra.0+0x5e/0x170\n[ 2172.949595]  ? find_held_lock+0x2b/0x80\n[ 2172.949817]  ? syscall_trace_enter+0x140/0x270\n[ 2172.950211]  ? lockdep_hardirqs_on_prepare+0xda/0x190\n[ 2172.950632]  ? ktime_get_coarse_real_ts64+0xc2/0xd0\n[ 2172.951036]  __x64_sys_sendto+0x24/0x30\n[ 2172.951382]  do_syscall_64+0x90/0x170\n......\n\nAfter calling bpf_exec_tx_verdict(), the size of msg_pl-\u003esg may increase,\ne.g., when the BPF program executes bpf_msg_push_data().\n\nIf the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,\nit will return -ENOSPC and attempt to roll back to the non-zero copy\nlogic. However, during rollback, msg-\u003emsg_iter is reset, but since\nmsg_pl-\u003esg.size has been increased, subsequent executions will exceed the\nactual size of msg_iter.\n\u0027\u0027\u0027\niov_iter_revert(\u0026msg-\u003emsg_iter, msg_pl-\u003esg.size - orig_size);\n\u0027\u0027\u0027\n\nThe changes in this commit are based on the following considerations:\n\n1. When cork_bytes is set, rolling back to non-zero copy logic is\npointless and can directly go to zero-copy logic.\n\n2. We can not calculate the correct number of bytes to revert msg_iter.\n\nAssume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes\nby the BPF program, it becomes 11-byte data: \"abc?de?fgh?\".\nThen, we set cork_bytes to 6, which means the first 6 bytes have been\nprocessed, and the remaining 5 bytes \"?fgh?\" will be cached until the\nlength meets the cork_bytes requirement.\n\nHowever, some data in \"?fgh?\" is not within \u0027sg-\u003emsg_iter\u0027\n(but in msg_pl instead), especially the data \"?\" we pushed.\n\nSo it doesn\u0027t seem as simple as just reverting through an offset of\nmsg_iter.\n\n3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs,\nthe user-space send() doesn\u0027t return an error, and the returned length is\nthe same as the input length parameter, even if some data is cached.\n\nAdditionally, I saw that the current non-zero-copy logic for handling\ncorking is written as:\n\u0027\u0027\u0027\nline 1177\nelse if (ret != -EAGAIN) {\n\tif (ret == -ENOSPC)\n\t\tret = 0;\n\tgoto send_end;\n\u0027\u0027\u0027\n\nSo it\u0027s ok to just return \u0027copied\u0027 without error when a \"cork\" situation\noccurs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:32.294Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/328cac3f9f8ae394748485e769a527518a9137c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e36a81d388ec9c3f78b6223f7eda2088cd40adb"
        },
        {
          "url": "https://git.kernel.org/stable/c/57fbbe29e86042bbaa31c1a30d2afa16c427e3f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/603943f022a7fe5cc83ca7005faf34798fb7853f"
        },
        {
          "url": "https://git.kernel.org/stable/c/54a3ecaeeeae8176da8badbd7d72af1017032c39"
        }
      ],
      "title": "bpf: fix ktls panic with sockmap",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38166",
    "datePublished": "2025-07-03T08:36:06.372Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-11T21:22:32.294Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38167 (GCVE-0-2025-38167)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-12 12:04

Title

fs/ntfs3: handle hdr_first_de() return value

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Additionally, error handling for the return value already exists at other points where this function is called. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/5390b3d4c6d41d05b…
https://git.kernel.org/stable/c/83cd0aa74793384db…
https://git.kernel.org/stable/c/701340a25b1ad210e…
https://git.kernel.org/stable/c/2d5879f64554181b8…
https://git.kernel.org/stable/c/4ecd0cde89feee265…
https://git.kernel.org/stable/c/af5cab0e5b6f8edb0…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

5 products

Vendor	Product	Version
Linux	Linux	Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 5390b3d4c6d41d05bb9149d094d504cbc9ea85bf (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 83cd0aa74793384dbdffc140500b200e9776a302 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 701340a25b1ad210e6b8192195be21fd3fcc22c7 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 2d5879f64554181b89f44d4817b9ea86e8e913e1 (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < 4ecd0cde89feee26525ccdf1af0c1ae156ca010b (git) Affected: 82cae269cfa953032fbb8980a7d554d60fb00b17 , < af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:56.803Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:04:34.494Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/index.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5390b3d4c6d41d05bb9149d094d504cbc9ea85bf",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "83cd0aa74793384dbdffc140500b200e9776a302",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "701340a25b1ad210e6b8192195be21fd3fcc22c7",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "2d5879f64554181b89f44d4817b9ea86e8e913e1",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "4ecd0cde89feee26525ccdf1af0c1ae156ca010b",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            },
            {
              "lessThan": "af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70",
              "status": "affected",
              "version": "82cae269cfa953032fbb8980a7d554d60fb00b17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ntfs3/index.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle hdr_first_de() return value\n\nThe hdr_first_de() function returns a pointer to a struct NTFS_DE. This\npointer may be NULL. To handle the NULL error effectively, it is important\nto implement an error handler. This will help manage potential errors\nconsistently.\n\nAdditionally, error handling for the return value already exists at other\npoints where this function is called.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:33.410Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5390b3d4c6d41d05bb9149d094d504cbc9ea85bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/83cd0aa74793384dbdffc140500b200e9776a302"
        },
        {
          "url": "https://git.kernel.org/stable/c/701340a25b1ad210e6b8192195be21fd3fcc22c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d5879f64554181b89f44d4817b9ea86e8e913e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ecd0cde89feee26525ccdf1af0c1ae156ca010b"
        },
        {
          "url": "https://git.kernel.org/stable/c/af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70"
        }
      ],
      "title": "fs/ntfs3: handle hdr_first_de() return value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38167",
    "datePublished": "2025-07-03T08:36:06.987Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-12T12:04:34.494Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38170 (GCVE-0-2025-38170)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

arm64/fpsimd: Discard stale CPU state when handling SME traps

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ]

Severity

No CVSS data available.

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/de89368de3894a8db…
https://git.kernel.org/stable/c/43be952e885476daf…
https://git.kernel.org/stable/c/6103f9ba51a59afb5…
https://git.kernel.org/stable/c/c4a4786d93e99517d…
https://git.kernel.org/stable/c/d3eaab3c70905c546…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < de89368de3894a8db27caeb8fd902ba1c49f696a (git) Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < 43be952e885476dafb74aa832c0847b2f4f650c6 (git) Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < 6103f9ba51a59afb5a0f32299c837377c5a5a693 (git) Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3 (git) Affected: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd , < d3eaab3c70905c5467e5c4ea403053d67505adeb (git)
Linux	Linux	Affected: 5.19 Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:57.733Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/fpsimd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de89368de3894a8db27caeb8fd902ba1c49f696a",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "43be952e885476dafb74aa832c0847b2f4f650c6",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "6103f9ba51a59afb5a0f32299c837377c5a5a693",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            },
            {
              "lessThan": "d3eaab3c70905c5467e5c4ea403053d67505adeb",
              "status": "affected",
              "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/fpsimd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n|        /* With TIF_SME userspace shouldn\u0027t generate any traps */\n|        if (test_and_set_thread_flag(TIF_SME))\n|                WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n  751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n|         // task-\u003efpsimd_cpu is 0.\n|         // per_cpu_ptr(\u0026fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         /* With TIF_SME userspace shouldn\u0027t generate any traps */\n|         if (test_and_set_thread_flag(TIF_SME))\n|                 WARN_ON(1);\n|\n|         if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                 unsigned long vq_minus_one =\n|                         sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n|                 sme_set_vq(vq_minus_one);\n|\n|                 fpsimd_bind_task_to_cpu();\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task-\u003efpsimd_cpu is still 0\n|         // If per_cpu_ptr(\u0026fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SME traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:36.924Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a"
        },
        {
          "url": "https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb"
        }
      ],
      "title": "arm64/fpsimd: Discard stale CPU state when handling SME traps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38170",
    "datePublished": "2025-07-03T08:36:09.012Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-11T21:22:36.924Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38173 (GCVE-0-2025-38173)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2026-05-11 21:22

Title

crypto: marvell/cesa - Handle zero-length skcipher requests

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/32d3e8049a8b60f18…
https://git.kernel.org/stable/c/c064ae2881d839709…
https://git.kernel.org/stable/c/e1cc69da619588b14…
https://git.kernel.org/stable/c/78ea1ff6cb413a03f…
https://git.kernel.org/stable/c/5e9666ac8b94c9786…
https://git.kernel.org/stable/c/7894694b5d5b2ecfd…
https://git.kernel.org/stable/c/c9610dda42bd382a9…
https://git.kernel.org/stable/c/8a4e047c6cc07676f…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 32d3e8049a8b60f18c5c39f5931bfb1130ac11c9 (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < c064ae2881d839709bd72d484d5f2af157f46024 (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < e1cc69da619588b1488689fe3535a0ba75a2b0e7 (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 78ea1ff6cb413a03ff6f7af4e28e24b4461a0965 (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 5e9666ac8b94c978690f937d59170c5237bd2c45 (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13 (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < c9610dda42bd382a96f97e68825cb5f66cd9e1dc (git) Affected: f63601fd616ab370774fa00ea10bcaaa9e48e84c , < 8a4e047c6cc07676f637608a9dd675349b5de0a7 (git)
Linux	Linux	Affected: 4.2 Unaffected: 0 , < 4.2 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:59.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/marvell/cesa/cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32d3e8049a8b60f18c5c39f5931bfb1130ac11c9",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "c064ae2881d839709bd72d484d5f2af157f46024",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "e1cc69da619588b1488689fe3535a0ba75a2b0e7",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "78ea1ff6cb413a03ff6f7af4e28e24b4461a0965",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "5e9666ac8b94c978690f937d59170c5237bd2c45",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "c9610dda42bd382a96f97e68825cb5f66cd9e1dc",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            },
            {
              "lessThan": "8a4e047c6cc07676f637608a9dd675349b5de0a7",
              "status": "affected",
              "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/marvell/cesa/cipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:40.387Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45"
        },
        {
          "url": "https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7"
        }
      ],
      "title": "crypto: marvell/cesa - Handle zero-length skcipher requests",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38173",
    "datePublished": "2025-07-03T08:36:10.969Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-11T21:22:40.387Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38174 (GCVE-0-2025-38174)

Vulnerability from cvelistv5 – Published: 2025-07-04 10:39 – Updated: 2026-05-11 21:22

Title

thunderbolt: Do not double dequeue a configuration request

Summary

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: <TASK> ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set.

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/e49e994cd83705f7c…
https://git.kernel.org/stable/c/0a3011d47dbc92a33…
https://git.kernel.org/stable/c/2f62eda4d974c26bc…
https://git.kernel.org/stable/c/85286e634ebbaf9c0…
https://git.kernel.org/stable/c/5a057f26153972016…
https://git.kernel.org/stable/c/eb2d5e794fb966b3e…
https://git.kernel.org/stable/c/0771bcbe2f6e5d5f2…
https://git.kernel.org/stable/c/cdb4feab2f39e75a6…
https://git.kernel.org/stable/c/0f73628e9da1ee39d…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < e49e994cd83705f7ca30eda1e304abddfd96a37a (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < 0a3011d47dbc92a33621861c423cb64833d7fe57 (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < 2f62eda4d974c26bc595425eafd429067541f2c9 (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < 85286e634ebbaf9c0fb1cdf580add2f33fc7628c (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < 5a057f261539720165d03d85024da2b52e67f63d (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < eb2d5e794fb966b3ef8bde99eb8561446a53509f (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < 0771bcbe2f6e5d5f263cf466efe571d2754a46da (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < cdb4feab2f39e75a66239e3a112beced279612a8 (git) Affected: 16603153666d22df544ae9f9b3764fd18da28eeb , < 0f73628e9da1ee39daf5f188190cdbaee5e0c98c (git)
Linux	Linux	Affected: 3.17 Unaffected: 0 , < 3.17 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.33 , ≤ 6.12.* (semver) Unaffected: 6.14.11 , ≤ 6.14.* (semver) Unaffected: 6.15.2 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:35:01.586Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/thunderbolt/ctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e49e994cd83705f7ca30eda1e304abddfd96a37a",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "0a3011d47dbc92a33621861c423cb64833d7fe57",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "2f62eda4d974c26bc595425eafd429067541f2c9",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "85286e634ebbaf9c0fb1cdf580add2f33fc7628c",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "5a057f261539720165d03d85024da2b52e67f63d",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "eb2d5e794fb966b3ef8bde99eb8561446a53509f",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "0771bcbe2f6e5d5f263cf466efe571d2754a46da",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "cdb4feab2f39e75a66239e3a112beced279612a8",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            },
            {
              "lessThan": "0f73628e9da1ee39daf5f188190cdbaee5e0c98c",
              "status": "affected",
              "version": "16603153666d22df544ae9f9b3764fd18da28eeb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/thunderbolt/ctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.295",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.33",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.11",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.2",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Do not double dequeue a configuration request\n\nSome of our devices crash in tb_cfg_request_dequeue():\n\n general protection fault, probably for non-canonical address 0xdead000000000122\n\n CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65\n RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0\n Call Trace:\n \u003cTASK\u003e\n ? tb_cfg_request_dequeue+0x2d/0xa0\n tb_cfg_request_work+0x33/0x80\n worker_thread+0x386/0x8f0\n kthread+0xed/0x110\n ret_from_fork+0x38/0x50\n ret_from_fork_asm+0x1b/0x30\n\nThe circumstances are unclear, however, the theory is that\ntb_cfg_request_work() can be scheduled twice for a request:\nfirst time via frame.callback from ring_work() and second\ntime from tb_cfg_request().  Both times kworkers will execute\ntb_cfg_request_dequeue(), which results in double list_del()\nfrom the ctl-\u003erequest_queue (the list poison deference hints\nat it: 0xdead000000000122).\n\nDo not dequeue requests that don\u0027t have TB_CFG_REQUEST_ACTIVE\nbit set."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:22:41.615Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e49e994cd83705f7ca30eda1e304abddfd96a37a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a3011d47dbc92a33621861c423cb64833d7fe57"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f62eda4d974c26bc595425eafd429067541f2c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/85286e634ebbaf9c0fb1cdf580add2f33fc7628c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a057f261539720165d03d85024da2b52e67f63d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb2d5e794fb966b3ef8bde99eb8561446a53509f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0771bcbe2f6e5d5f263cf466efe571d2754a46da"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdb4feab2f39e75a66239e3a112beced279612a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f73628e9da1ee39daf5f188190cdbaee5e0c98c"
        }
      ],
      "title": "thunderbolt: Do not double dequeue a configuration request",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38174",
    "datePublished": "2025-07-04T10:39:55.732Z",
    "dateReserved": "2025-04-16T04:51:23.991Z",
    "dateUpdated": "2026-05-11T21:22:41.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0698

Solutions

CVE-2025-38159 (GCVE-0-2025-38159)

CVE-2025-38160 (GCVE-0-2025-38160)

CVE-2025-38161 (GCVE-0-2025-38161)

CVE-2025-38163 (GCVE-0-2025-38163)

CVE-2025-38165 (GCVE-0-2025-38165)

CVE-2025-38166 (GCVE-0-2025-38166)

CVE-2025-38167 (GCVE-0-2025-38167)

CVE-2025-38170 (GCVE-0-2025-38170)

CVE-2025-38173 (GCVE-0-2025-38173)

CVE-2025-38174 (GCVE-0-2025-38174)

Tags

Sightings

Nomenclature