Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0721
Vulnerability from certfr_avis - Published: 2025-08-22 - Updated: 2025-08-22
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-21861",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21861"
},
{
"name": "CVE-2024-58088",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58088"
},
{
"name": "CVE-2025-38043",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38043"
},
{
"name": "CVE-2025-21783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21783"
},
{
"name": "CVE-2025-21786",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21786"
},
{
"name": "CVE-2025-38002",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38002"
},
{
"name": "CVE-2025-21847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21847"
},
{
"name": "CVE-2025-21853",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21853"
},
{
"name": "CVE-2025-21871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21871"
},
{
"name": "CVE-2025-21823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21823"
},
{
"name": "CVE-2025-21763",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21763"
},
{
"name": "CVE-2025-37965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37965"
},
{
"name": "CVE-2025-21796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21796"
},
{
"name": "CVE-2024-49950",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49950"
},
{
"name": "CVE-2025-21768",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21768"
},
{
"name": "CVE-2025-21864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21864"
},
{
"name": "CVE-2025-37961",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37961"
},
{
"name": "CVE-2025-38061",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38061"
},
{
"name": "CVE-2025-21839",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21839"
},
{
"name": "CVE-2025-38023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38023"
},
{
"name": "CVE-2025-21779",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21779"
},
{
"name": "CVE-2025-38004",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38004"
},
{
"name": "CVE-2025-38016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38016"
},
{
"name": "CVE-2025-21712",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21712"
},
{
"name": "CVE-2025-21746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21746"
},
{
"name": "CVE-2025-38066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38066"
},
{
"name": "CVE-2025-21836",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21836"
},
{
"name": "CVE-2025-21781",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21781"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2025-38068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38068"
},
{
"name": "CVE-2025-21772",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21772"
},
{
"name": "CVE-2025-37971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37971"
},
{
"name": "CVE-2025-21868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21868"
},
{
"name": "CVE-2025-38056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38056"
},
{
"name": "CVE-2025-38027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38027"
},
{
"name": "CVE-2025-21792",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21792"
},
{
"name": "CVE-2025-37993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37993"
},
{
"name": "CVE-2025-37955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37955"
},
{
"name": "CVE-2025-38015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38015"
},
{
"name": "CVE-2025-37958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37958"
},
{
"name": "CVE-2025-21855",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21855"
},
{
"name": "CVE-2025-38065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38065"
},
{
"name": "CVE-2025-38031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38031"
},
{
"name": "CVE-2025-37950",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37950"
},
{
"name": "CVE-2025-21767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21767"
},
{
"name": "CVE-2025-38008",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38008"
},
{
"name": "CVE-2025-38011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38011"
},
{
"name": "CVE-2025-21764",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21764"
},
{
"name": "CVE-2024-58093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58093"
},
{
"name": "CVE-2025-38025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38025"
},
{
"name": "CVE-2025-38034",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38034"
},
{
"name": "CVE-2025-38095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38095"
},
{
"name": "CVE-2025-21838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21838"
},
{
"name": "CVE-2025-21867",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21867"
},
{
"name": "CVE-2025-21704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21704"
},
{
"name": "CVE-2025-21766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21766"
},
{
"name": "CVE-2025-38024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38024"
},
{
"name": "CVE-2024-57834",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57834"
},
{
"name": "CVE-2025-38078",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38078"
},
{
"name": "CVE-2025-21791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21791"
},
{
"name": "CVE-2024-52559",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52559"
},
{
"name": "CVE-2025-38077",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38077"
},
{
"name": "CVE-2025-38005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38005"
},
{
"name": "CVE-2025-21795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21795"
},
{
"name": "CVE-2025-21758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21758"
},
{
"name": "CVE-2025-21780",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21780"
},
{
"name": "CVE-2025-37969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37969"
},
{
"name": "CVE-2025-21787",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21787"
},
{
"name": "CVE-2025-21776",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21776"
},
{
"name": "CVE-2025-21706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21706"
},
{
"name": "CVE-2025-38014",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38014"
},
{
"name": "CVE-2025-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38003"
},
{
"name": "CVE-2025-38007",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38007"
},
{
"name": "CVE-2025-21760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21760"
},
{
"name": "CVE-2025-38079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
},
{
"name": "CVE-2025-37964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37964"
},
{
"name": "CVE-2025-21785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21785"
},
{
"name": "CVE-2024-58086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58086"
},
{
"name": "CVE-2025-37999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37999"
},
{
"name": "CVE-2025-38018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38018"
},
{
"name": "CVE-2025-21857",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21857"
},
{
"name": "CVE-2025-37797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37797"
},
{
"name": "CVE-2025-21848",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21848"
},
{
"name": "CVE-2025-37952",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37952"
},
{
"name": "CVE-2025-38012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38012"
},
{
"name": "CVE-2025-38019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38019"
},
{
"name": "CVE-2025-21866",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21866"
},
{
"name": "CVE-2025-38037",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38037"
},
{
"name": "CVE-2025-37962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37962"
},
{
"name": "CVE-2025-21862",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21862"
},
{
"name": "CVE-2025-37972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37972"
},
{
"name": "CVE-2025-38010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38010"
},
{
"name": "CVE-2024-57977",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57977"
},
{
"name": "CVE-2025-37970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37970"
},
{
"name": "CVE-2025-38013",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38013"
},
{
"name": "CVE-2025-37956",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37956"
},
{
"name": "CVE-2025-38094",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38094"
},
{
"name": "CVE-2025-38072",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38072"
},
{
"name": "CVE-2025-37967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37967"
},
{
"name": "CVE-2025-38075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38075"
},
{
"name": "CVE-2025-37949",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37949"
},
{
"name": "CVE-2025-37957",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37957"
},
{
"name": "CVE-2025-38058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38058"
},
{
"name": "CVE-2025-21762",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21762"
},
{
"name": "CVE-2025-38083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38083"
},
{
"name": "CVE-2025-21869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21869"
},
{
"name": "CVE-2024-54458",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54458"
},
{
"name": "CVE-2025-37951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37951"
},
{
"name": "CVE-2025-37947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37947"
},
{
"name": "CVE-2025-21859",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21859"
},
{
"name": "CVE-2025-21761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21761"
},
{
"name": "CVE-2025-37992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37992"
},
{
"name": "CVE-2025-21844",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21844"
},
{
"name": "CVE-2025-21784",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21784"
},
{
"name": "CVE-2024-58020",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58020"
},
{
"name": "CVE-2025-37973",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37973"
},
{
"name": "CVE-2025-37996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37996"
},
{
"name": "CVE-2025-21775",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21775"
},
{
"name": "CVE-2025-21846",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21846"
},
{
"name": "CVE-2025-37998",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37998"
},
{
"name": "CVE-2025-37968",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37968"
},
{
"name": "CVE-2025-38006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38006"
},
{
"name": "CVE-2025-38048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38048"
},
{
"name": "CVE-2025-21765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21765"
},
{
"name": "CVE-2025-21782",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21782"
},
{
"name": "CVE-2025-38009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38009"
},
{
"name": "CVE-2025-21870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21870"
},
{
"name": "CVE-2024-54456",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-54456"
},
{
"name": "CVE-2024-38541",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38541"
},
{
"name": "CVE-2025-37994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37994"
},
{
"name": "CVE-2025-21773",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21773"
},
{
"name": "CVE-2025-21858",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21858"
},
{
"name": "CVE-2025-37995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37995"
},
{
"name": "CVE-2025-21821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21821"
},
{
"name": "CVE-2025-38052",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38052"
},
{
"name": "CVE-2025-38035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38035"
},
{
"name": "CVE-2025-37963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37963"
},
{
"name": "CVE-2024-50073",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50073"
},
{
"name": "CVE-2025-37948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37948"
},
{
"name": "CVE-2025-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21863"
},
{
"name": "CVE-2025-21856",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21856"
},
{
"name": "CVE-2025-37960",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37960"
},
{
"name": "CVE-2025-38051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38051"
},
{
"name": "CVE-2025-37954",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37954"
},
{
"name": "CVE-2025-38044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38044"
},
{
"name": "CVE-2025-37959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37959"
},
{
"name": "CVE-2025-21793",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21793"
},
{
"name": "CVE-2025-21854",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21854"
},
{
"name": "CVE-2023-52757",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52757"
},
{
"name": "CVE-2025-21759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21759"
},
{
"name": "CVE-2023-52975",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52975"
},
{
"name": "CVE-2025-37966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37966"
},
{
"name": "CVE-2025-38028",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38028"
},
{
"name": "CVE-2025-21790",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21790"
},
{
"name": "CVE-2025-38020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38020"
},
{
"name": "CVE-2025-21835",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21835"
},
{
"name": "CVE-2025-38021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38021"
}
],
"initial_release_date": "2025-08-22T00:00:00",
"last_revision_date": "2025-08-22T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0721",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2025-08-20",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7704-1",
"url": "https://ubuntu.com/security/notices/USN-7704-1"
},
{
"published_at": "2025-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7703-1",
"url": "https://ubuntu.com/security/notices/USN-7703-1"
},
{
"published_at": "2025-08-21",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7704-4",
"url": "https://ubuntu.com/security/notices/USN-7704-4"
},
{
"published_at": "2025-08-20",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7704-3",
"url": "https://ubuntu.com/security/notices/USN-7704-3"
},
{
"published_at": "2025-08-21",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7701-3",
"url": "https://ubuntu.com/security/notices/USN-7701-3"
},
{
"published_at": "2025-08-20",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7682-6",
"url": "https://ubuntu.com/security/notices/USN-7682-6"
},
{
"published_at": "2025-08-20",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7703-2",
"url": "https://ubuntu.com/security/notices/USN-7703-2"
},
{
"published_at": "2025-08-21",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7703-3",
"url": "https://ubuntu.com/security/notices/USN-7703-3"
},
{
"published_at": "2025-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7701-1",
"url": "https://ubuntu.com/security/notices/USN-7701-1"
},
{
"published_at": "2025-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7704-2",
"url": "https://ubuntu.com/security/notices/USN-7704-2"
},
{
"published_at": "2025-08-20",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7699-2",
"url": "https://ubuntu.com/security/notices/USN-7699-2"
},
{
"published_at": "2025-08-20",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7701-2",
"url": "https://ubuntu.com/security/notices/USN-7701-2"
}
]
}
CVE-2025-38048 (GCVE-0-2025-38048)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN
syzbot reports a data-race when accessing the event_triggered, here is the
simplified stack when the issue occurred:
==================================================================
BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed
write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:
virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653
start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264
__netdev_start_xmit include/linux/netdevice.h:5151 [inline]
netdev_start_xmit include/linux/netdevice.h:5160 [inline]
xmit_one net/core/dev.c:3800 [inline]
read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:
virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]
virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566
skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777
vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715
__handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
value changed: 0x01 -> 0x00
==================================================================
When the data race occurs, the function virtqueue_enable_cb_delayed() sets
event_triggered to false, and virtqueue_disable_cb_split/packed() reads it
as false due to the race condition. Since event_triggered is an unreliable
hint used for optimization, this should only cause the driver temporarily
suggest that the device not send an interrupt notification when the event
index is used.
Fix this KCSAN reported data-race issue by explicitly tagging the access as
data_racy.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8d622d21d24803408b256d96463eac4574dcf067 , < 02d2d6caee3abc9335cfca35f8eb4492173ae6f2
(git)
Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < b6d6419548286b2b9d2b90df824d3cab797f6ae8 (git) Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < b49b5132e4c7307599492aee1cdc6d89f7f2a7da (git) Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < b730cb109633c455ce8a7cd6934986c6a16d88d8 (git) Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < 4ed8f0e808b3fcc71c5b8be7902d8738ed595b17 (git) Affected: 8d622d21d24803408b256d96463eac4574dcf067 , < 2e2f925fe737576df2373931c95e1a2b66efdfef (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:21.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02d2d6caee3abc9335cfca35f8eb4492173ae6f2",
"status": "affected",
"version": "8d622d21d24803408b256d96463eac4574dcf067",
"versionType": "git"
},
{
"lessThan": "b6d6419548286b2b9d2b90df824d3cab797f6ae8",
"status": "affected",
"version": "8d622d21d24803408b256d96463eac4574dcf067",
"versionType": "git"
},
{
"lessThan": "b49b5132e4c7307599492aee1cdc6d89f7f2a7da",
"status": "affected",
"version": "8d622d21d24803408b256d96463eac4574dcf067",
"versionType": "git"
},
{
"lessThan": "b730cb109633c455ce8a7cd6934986c6a16d88d8",
"status": "affected",
"version": "8d622d21d24803408b256d96463eac4574dcf067",
"versionType": "git"
},
{
"lessThan": "4ed8f0e808b3fcc71c5b8be7902d8738ed595b17",
"status": "affected",
"version": "8d622d21d24803408b256d96463eac4574dcf067",
"versionType": "git"
},
{
"lessThan": "2e2f925fe737576df2373931c95e1a2b66efdfef",
"status": "affected",
"version": "8d622d21d24803408b256d96463eac4574dcf067",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_ring: Fix data race by tagging event_triggered as racy for KCSAN\n\nsyzbot reports a data-race when accessing the event_triggered, here is the\nsimplified stack when the issue occurred:\n\n==================================================================\nBUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed\n\nwrite to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:\n virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653\n start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264\n __netdev_start_xmit include/linux/netdevice.h:5151 [inline]\n netdev_start_xmit include/linux/netdevice.h:5160 [inline]\n xmit_one net/core/dev.c:3800 [inline]\n\nread to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:\n virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]\n virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566\n skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777\n vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715\n __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158\n handle_irq_event_percpu kernel/irq/handle.c:193 [inline]\n\nvalue changed: 0x01 -\u003e 0x00\n==================================================================\n\nWhen the data race occurs, the function virtqueue_enable_cb_delayed() sets\nevent_triggered to false, and virtqueue_disable_cb_split/packed() reads it\nas false due to the race condition. Since event_triggered is an unreliable\nhint used for optimization, this should only cause the driver temporarily\nsuggest that the device not send an interrupt notification when the event\nindex is used.\n\nFix this KCSAN reported data-race issue by explicitly tagging the access as\ndata_racy."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:15.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2"
},
{
"url": "https://git.kernel.org/stable/c/b6d6419548286b2b9d2b90df824d3cab797f6ae8"
},
{
"url": "https://git.kernel.org/stable/c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da"
},
{
"url": "https://git.kernel.org/stable/c/b730cb109633c455ce8a7cd6934986c6a16d88d8"
},
{
"url": "https://git.kernel.org/stable/c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17"
},
{
"url": "https://git.kernel.org/stable/c/2e2f925fe737576df2373931c95e1a2b66efdfef"
}
],
"title": "virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38048",
"datePublished": "2025-06-18T09:33:31.413Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-05-11T21:20:15.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38051 (GCVE-0-2025-38051)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-06-11 18:44
VLAI
EPSS
Title
smb: client: Fix use-after-free in cifs_fill_dirent
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Fix use-after-free in cifs_fill_dirent
There is a race condition in the readdir concurrency process, which may
access the rsp buffer after it has been released, triggering the
following KASAN warning.
==================================================================
BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
Read of size 4 at addr ffff8880099b819c by task a.out/342975
CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xce/0x640
kasan_report+0xb8/0xf0
cifs_fill_dirent+0xb03/0xb60 [cifs]
cifs_readdir+0x12cb/0x3190 [cifs]
iterate_dir+0x1a1/0x520
__x64_sys_getdents+0x134/0x220
do_syscall_64+0x4b/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f996f64b9f9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8
RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
</TASK>
Allocated by task 408:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x6e/0x70
kmem_cache_alloc_noprof+0x117/0x3d0
mempool_alloc_noprof+0xf2/0x2c0
cifs_buf_get+0x36/0x80 [cifs]
allocate_buffers+0x1d2/0x330 [cifs]
cifs_demultiplex_thread+0x22b/0x2690 [cifs]
kthread+0x394/0x720
ret_from_fork+0x34/0x70
ret_from_fork_asm+0x1a/0x30
Freed by task 342979:
kasan_save_stack+0x20/0x40
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x37/0x50
kmem_cache_free+0x2b8/0x500
cifs_buf_release+0x3c/0x70 [cifs]
cifs_readdir+0x1c97/0x3190 [cifs]
iterate_dir+0x1a1/0x520
__x64_sys_getdents64+0x134/0x220
do_syscall_64+0x4b/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The buggy address belongs to the object at ffff8880099b8000
which belongs to the cache cifs_request of size 16588
The buggy address is located 412 bytes inside of
freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
POC is available in the link [1].
The problem triggering process is as follows:
Process 1 Process 2
-----------------------------------
---truncated---
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < aee067e88d61eb72e966f094e4749c6b14e7008f
(git)
Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 1b197931fbc821bc7e9e91bf619400db563e3338 (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < c8623231e0edfcccb7cc6add0288fa0f0594282f (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 73cadde98f67f76c5eba00ac0b72c453383cec8b (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9bea368648ac46f8593a780760362e40291d22a9 (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < 9c9aafbacc183598f064902365e107b5e856531f (git) Affected: a364bc0b37f14ffd66c1f982af42990a9d77fa43 , < a7a8fe56e932a36f43e031b398aef92341bf5ea0 (git) Affected: 0f3da51e7046e2eb28992ba65c22d058f571356c (git) Affected: 2.6.27.4 , < 2.6.28 (semver) |
|
| Linux | Linux |
Affected:
2.6.28
Unaffected: 0 , < 2.6.28 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:23.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:50.583980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:16.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aee067e88d61eb72e966f094e4749c6b14e7008f",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "1b197931fbc821bc7e9e91bf619400db563e3338",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "c8623231e0edfcccb7cc6add0288fa0f0594282f",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "73cadde98f67f76c5eba00ac0b72c453383cec8b",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "9bea368648ac46f8593a780760362e40291d22a9",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "9c9aafbacc183598f064902365e107b5e856531f",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"lessThan": "a7a8fe56e932a36f43e031b398aef92341bf5ea0",
"status": "affected",
"version": "a364bc0b37f14ffd66c1f982af42990a9d77fa43",
"versionType": "git"
},
{
"status": "affected",
"version": "0f3da51e7046e2eb28992ba65c22d058f571356c",
"versionType": "git"
},
{
"lessThan": "2.6.28",
"status": "affected",
"version": "2.6.27.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/readdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.27.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: Fix use-after-free in cifs_fill_dirent\n\nThere is a race condition in the readdir concurrency process, which may\naccess the rsp buffer after it has been released, triggering the\nfollowing KASAN warning.\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]\n Read of size 4 at addr ffff8880099b819c by task a.out/342975\n\n CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xce/0x640\n kasan_report+0xb8/0xf0\n cifs_fill_dirent+0xb03/0xb60 [cifs]\n cifs_readdir+0x12cb/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f996f64b9f9\n Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89\n f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\n f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8\n RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e\n RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003\n RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88\n R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000\n \u003c/TASK\u003e\n\n Allocated by task 408:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_noprof+0x117/0x3d0\n mempool_alloc_noprof+0xf2/0x2c0\n cifs_buf_get+0x36/0x80 [cifs]\n allocate_buffers+0x1d2/0x330 [cifs]\n cifs_demultiplex_thread+0x22b/0x2690 [cifs]\n kthread+0x394/0x720\n ret_from_fork+0x34/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 342979:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0x2b8/0x500\n cifs_buf_release+0x3c/0x70 [cifs]\n cifs_readdir+0x1c97/0x3190 [cifs]\n iterate_dir+0x1a1/0x520\n __x64_sys_getdents64+0x134/0x220\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n The buggy address belongs to the object at ffff8880099b8000\n which belongs to the cache cifs_request of size 16588\n The buggy address is located 412 bytes inside of\n freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)\n\n The buggy address belongs to the physical page:\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8\n head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n anon flags: 0x80000000000040(head|node=0|zone=1)\n page_type: f5(slab)\n raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001\n head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000\n head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff\n head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n \u003effff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ==================================================================\n\nPOC is available in the link [1].\n\nThe problem triggering process is as follows:\n\nProcess 1 Process 2\n-----------------------------------\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:52.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aee067e88d61eb72e966f094e4749c6b14e7008f"
},
{
"url": "https://git.kernel.org/stable/c/a24c2f05ac3c5b0aaa539d9d913826d2643dfd0e"
},
{
"url": "https://git.kernel.org/stable/c/1b197931fbc821bc7e9e91bf619400db563e3338"
},
{
"url": "https://git.kernel.org/stable/c/c8623231e0edfcccb7cc6add0288fa0f0594282f"
},
{
"url": "https://git.kernel.org/stable/c/73cadde98f67f76c5eba00ac0b72c453383cec8b"
},
{
"url": "https://git.kernel.org/stable/c/9bea368648ac46f8593a780760362e40291d22a9"
},
{
"url": "https://git.kernel.org/stable/c/9c9aafbacc183598f064902365e107b5e856531f"
},
{
"url": "https://git.kernel.org/stable/c/a7a8fe56e932a36f43e031b398aef92341bf5ea0"
}
],
"title": "smb: client: Fix use-after-free in cifs_fill_dirent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38051",
"datePublished": "2025-06-18T09:33:32.805Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-06-11T18:44:16.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38052 (GCVE-0-2025-38052)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
Syzbot reported a slab-use-after-free with the following call trace:
==================================================================
BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25
Call Trace:
kasan_report+0xd9/0x110 mm/kasan/report.c:601
tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840
crypto_request_complete include/crypto/algapi.h:266
aead_request_complete include/crypto/internal/aead.h:85
cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772
crypto_request_complete include/crypto/algapi.h:266
cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
Allocated by task 8355:
kzalloc_noprof include/linux/slab.h:778
tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466
tipc_init_net+0x2dd/0x430 net/tipc/core.c:72
ops_init+0xb9/0x650 net/core/net_namespace.c:139
setup_net+0x435/0xb40 net/core/net_namespace.c:343
copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508
create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x419/0x970 kernel/fork.c:3323
__do_sys_unshare kernel/fork.c:3394
Freed by task 63:
kfree+0x12a/0x3b0 mm/slub.c:4557
tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539
tipc_exit_net+0x8c/0x110 net/tipc/core.c:119
ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
After freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done
may still visit it in cryptd_queue_worker workqueue.
I reproduce this issue by:
ip netns add ns1
ip link add veth1 type veth peer name veth2
ip link set veth1 netns ns1
ip netns exec ns1 tipc bearer enable media eth dev veth1
ip netns exec ns1 tipc node set key this_is_a_master_key master
ip netns exec ns1 tipc bearer disable media eth dev veth1
ip netns del ns1
The key of reproduction is that, simd_aead_encrypt is interrupted, leading
to crypto_simd_usable() return false. Thus, the cryptd_queue_worker is
triggered, and the tipc_crypto tx will be visited.
tipc_disc_timeout
tipc_bearer_xmit_skb
tipc_crypto_xmit
tipc_aead_encrypt
crypto_aead_encrypt
// encrypt()
simd_aead_encrypt
// crypto_simd_usable() is false
child = &ctx->cryptd_tfm->base;
simd_aead_encrypt
crypto_aead_encrypt
// encrypt()
cryptd_aead_encrypt_enqueue
cryptd_aead_enqueue
cryptd_enqueue_request
// trigger cryptd_queue_worker
queue_work_on(smp_processor_id(), cryptd_wq, &cpu_queue->work)
Fix this by holding net reference count before encrypt.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < d42ed4de6aba232d946d20653a70f79158a6535b
(git)
Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < f5c2c4eaaa5a8e7e0685ec031d480e588e263e59 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < b8fcae6d2e93c54cacb8f579a77d827c1c643eb5 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < b19fc1d0be3c3397e5968fe2627f22e7f84673b1 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 689a205cd968a1572ab561b0c4c2d50a10e9d3b0 (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < 4a0fddc2c0d5c28aec8c262ad4603be0bef1938c (git) Affected: fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 , < e279024617134c94fd3e37470156534d5f2b3472 (git) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:25.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d42ed4de6aba232d946d20653a70f79158a6535b",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "f5c2c4eaaa5a8e7e0685ec031d480e588e263e59",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "b8fcae6d2e93c54cacb8f579a77d827c1c643eb5",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "b19fc1d0be3c3397e5968fe2627f22e7f84673b1",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "689a205cd968a1572ab561b0c4c2d50a10e9d3b0",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "4a0fddc2c0d5c28aec8c262ad4603be0bef1938c",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
},
{
"lessThan": "e279024617134c94fd3e37470156534d5f2b3472",
"status": "affected",
"version": "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done\n\nSyzbot reported a slab-use-after-free with the following call trace:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25\n\n Call Trace:\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840\n crypto_request_complete include/crypto/algapi.h:266\n aead_request_complete include/crypto/internal/aead.h:85\n cryptd_aead_crypt+0x3b8/0x750 crypto/cryptd.c:772\n crypto_request_complete include/crypto/algapi.h:266\n cryptd_queue_worker+0x131/0x200 crypto/cryptd.c:181\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\n Allocated by task 8355:\n kzalloc_noprof include/linux/slab.h:778\n tipc_crypto_start+0xcc/0x9e0 net/tipc/crypto.c:1466\n tipc_init_net+0x2dd/0x430 net/tipc/core.c:72\n ops_init+0xb9/0x650 net/core/net_namespace.c:139\n setup_net+0x435/0xb40 net/core/net_namespace.c:343\n copy_net_ns+0x2f0/0x670 net/core/net_namespace.c:508\n create_new_namespaces+0x3ea/0xb10 kernel/nsproxy.c:110\n unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228\n ksys_unshare+0x419/0x970 kernel/fork.c:3323\n __do_sys_unshare kernel/fork.c:3394\n\n Freed by task 63:\n kfree+0x12a/0x3b0 mm/slub.c:4557\n tipc_crypto_stop+0x23c/0x500 net/tipc/crypto.c:1539\n tipc_exit_net+0x8c/0x110 net/tipc/core.c:119\n ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173\n cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640\n process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231\n\nAfter freed the tipc_crypto tx by delete namespace, tipc_aead_encrypt_done\nmay still visit it in cryptd_queue_worker workqueue.\n\nI reproduce this issue by:\n ip netns add ns1\n ip link add veth1 type veth peer name veth2\n ip link set veth1 netns ns1\n ip netns exec ns1 tipc bearer enable media eth dev veth1\n ip netns exec ns1 tipc node set key this_is_a_master_key master\n ip netns exec ns1 tipc bearer disable media eth dev veth1\n ip netns del ns1\n\nThe key of reproduction is that, simd_aead_encrypt is interrupted, leading\nto crypto_simd_usable() return false. Thus, the cryptd_queue_worker is\ntriggered, and the tipc_crypto tx will be visited.\n\n tipc_disc_timeout\n tipc_bearer_xmit_skb\n tipc_crypto_xmit\n tipc_aead_encrypt\n crypto_aead_encrypt\n // encrypt()\n simd_aead_encrypt\n // crypto_simd_usable() is false\n child = \u0026ctx-\u003ecryptd_tfm-\u003ebase;\n\n simd_aead_encrypt\n crypto_aead_encrypt\n // encrypt()\n cryptd_aead_encrypt_enqueue\n cryptd_aead_enqueue\n cryptd_enqueue_request\n // trigger cryptd_queue_worker\n queue_work_on(smp_processor_id(), cryptd_wq, \u0026cpu_queue-\u003ework)\n\nFix this by holding net reference count before encrypt."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:20.422Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d42ed4de6aba232d946d20653a70f79158a6535b"
},
{
"url": "https://git.kernel.org/stable/c/f5c2c4eaaa5a8e7e0685ec031d480e588e263e59"
},
{
"url": "https://git.kernel.org/stable/c/b8fcae6d2e93c54cacb8f579a77d827c1c643eb5"
},
{
"url": "https://git.kernel.org/stable/c/b19fc1d0be3c3397e5968fe2627f22e7f84673b1"
},
{
"url": "https://git.kernel.org/stable/c/689a205cd968a1572ab561b0c4c2d50a10e9d3b0"
},
{
"url": "https://git.kernel.org/stable/c/4a0fddc2c0d5c28aec8c262ad4603be0bef1938c"
},
{
"url": "https://git.kernel.org/stable/c/e279024617134c94fd3e37470156534d5f2b3472"
}
],
"title": "net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38052",
"datePublished": "2025-06-18T09:33:33.427Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-05-11T21:20:20.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38056 (GCVE-0-2025-38056)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
ASoC: SOF: Intel: hda: Fix UAF when reloading module
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: Intel: hda: Fix UAF when reloading module
hda_generic_machine_select() appends -idisp to the tplg filename by
allocating a new string with devm_kasprintf(), then stores the string
right back into the global variable snd_soc_acpi_intel_hda_machines.
When the module is unloaded, this memory is freed, resulting in a global
variable pointing to freed memory. Reloading the module then triggers
a use-after-free:
BUG: KFENCE: use-after-free read in string+0x48/0xe0
Use-after-free read at 0x00000000967e0109 (in kfence-#99):
string+0x48/0xe0
vsnprintf+0x329/0x6e0
devm_kvasprintf+0x54/0xb0
devm_kasprintf+0x58/0x80
hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]
sof_probe_work+0x7f/0x600 [snd_sof]
process_one_work+0x17b/0x330
worker_thread+0x2ce/0x3f0
kthread+0xcf/0x100
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x1a/0x30
kfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64
allocated by task 333 on cpu 8 at 17.798069s (130.453553s ago):
devm_kmalloc+0x52/0x120
devm_kvasprintf+0x66/0xb0
devm_kasprintf+0x58/0x80
hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]
sof_probe_work+0x7f/0x600 [snd_sof]
process_one_work+0x17b/0x330
worker_thread+0x2ce/0x3f0
kthread+0xcf/0x100
ret_from_fork+0x31/0x50
ret_from_fork_asm+0x1a/0x30
freed by task 1543 on cpu 4 at 141.586686s (6.665010s ago):
release_nodes+0x43/0xb0
devres_release_all+0x90/0xf0
device_unbind_cleanup+0xe/0x70
device_release_driver_internal+0x1c1/0x200
driver_detach+0x48/0x90
bus_remove_driver+0x6d/0xf0
pci_unregister_driver+0x42/0xb0
__do_sys_delete_module+0x1d1/0x310
do_syscall_64+0x82/0x190
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fix it by copying the match array with devm_kmemdup_array() before we
modify it.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5458411d75947a4212e50a401ec0a98d4c6c931b , < 2b49e68360eb6a1c03dc1642a51f7d9f6784c034
(git)
Affected: 5458411d75947a4212e50a401ec0a98d4c6c931b , < f9670b2e81e8a3cbf2e1e757190dd0b920a9d43f (git) Affected: 5458411d75947a4212e50a401ec0a98d4c6c931b , < 7dd7f39fce0022b386ef1ea5ffef92ecc7dfc6af (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b49e68360eb6a1c03dc1642a51f7d9f6784c034",
"status": "affected",
"version": "5458411d75947a4212e50a401ec0a98d4c6c931b",
"versionType": "git"
},
{
"lessThan": "f9670b2e81e8a3cbf2e1e757190dd0b920a9d43f",
"status": "affected",
"version": "5458411d75947a4212e50a401ec0a98d4c6c931b",
"versionType": "git"
},
{
"lessThan": "7dd7f39fce0022b386ef1ea5ffef92ecc7dfc6af",
"status": "affected",
"version": "5458411d75947a4212e50a401ec0a98d4c6c931b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/intel/hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: Fix UAF when reloading module\n\nhda_generic_machine_select() appends -idisp to the tplg filename by\nallocating a new string with devm_kasprintf(), then stores the string\nright back into the global variable snd_soc_acpi_intel_hda_machines.\nWhen the module is unloaded, this memory is freed, resulting in a global\nvariable pointing to freed memory. Reloading the module then triggers\na use-after-free:\n\nBUG: KFENCE: use-after-free read in string+0x48/0xe0\n\nUse-after-free read at 0x00000000967e0109 (in kfence-#99):\n string+0x48/0xe0\n vsnprintf+0x329/0x6e0\n devm_kvasprintf+0x54/0xb0\n devm_kasprintf+0x58/0x80\n hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]\n sof_probe_work+0x7f/0x600 [snd_sof]\n process_one_work+0x17b/0x330\n worker_thread+0x2ce/0x3f0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n\nkfence-#99: 0x00000000198a940f-0x00000000ace47d9d, size=64, cache=kmalloc-64\n\nallocated by task 333 on cpu 8 at 17.798069s (130.453553s ago):\n devm_kmalloc+0x52/0x120\n devm_kvasprintf+0x66/0xb0\n devm_kasprintf+0x58/0x80\n hda_machine_select.cold+0x198/0x17a2 [snd_sof_intel_hda_generic]\n sof_probe_work+0x7f/0x600 [snd_sof]\n process_one_work+0x17b/0x330\n worker_thread+0x2ce/0x3f0\n kthread+0xcf/0x100\n ret_from_fork+0x31/0x50\n ret_from_fork_asm+0x1a/0x30\n\nfreed by task 1543 on cpu 4 at 141.586686s (6.665010s ago):\n release_nodes+0x43/0xb0\n devres_release_all+0x90/0xf0\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1c1/0x200\n driver_detach+0x48/0x90\n bus_remove_driver+0x6d/0xf0\n pci_unregister_driver+0x42/0xb0\n __do_sys_delete_module+0x1d1/0x310\n do_syscall_64+0x82/0x190\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it by copying the match array with devm_kmemdup_array() before we\nmodify it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:25.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b49e68360eb6a1c03dc1642a51f7d9f6784c034"
},
{
"url": "https://git.kernel.org/stable/c/f9670b2e81e8a3cbf2e1e757190dd0b920a9d43f"
},
{
"url": "https://git.kernel.org/stable/c/7dd7f39fce0022b386ef1ea5ffef92ecc7dfc6af"
}
],
"title": "ASoC: SOF: Intel: hda: Fix UAF when reloading module",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38056",
"datePublished": "2025-06-18T09:33:36.482Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-05-11T21:20:25.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38058 (GCVE-0-2025-38058)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-12 12:04
VLAI
EPSS
Title
__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock
... or we risk stealing final mntput from sync umount - raising mnt_count
after umount(2) has verified that victim is not busy, but before it
has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see
that it's safe to quietly undo mnt_count increment and leaves dropping
the reference to caller, where it'll be a full-blown mntput().
Check under mount_lock is needed; leaving the current one done before
taking that makes no sense - it's nowhere near common enough to bother
with.
Severity
No CVSS data available.
Assigner
References
11 references
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
48a066e72d970a3e225a9c18690d570c736fc455 , < 628fb00195ce21a90cf9e4e3d105cd9e58f77b40
(git)
Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < b89eb56a378b7b2c1176787fc228d0a57172bdd5 (git) Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42 (git) Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < 9b0915e72b3cf52474dcee0b24a2f99d93e604a3 (git) Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < d8ece4ced3b051e656c77180df2e69e19e24edc1 (git) Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < 8cafd7266fa02e0863bacbf872fe635c0b9725eb (git) Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < b55996939c71a3e1a38f3cdc6a8859797efc9083 (git) Affected: 48a066e72d970a3e225a9c18690d570c736fc455 , < 250cf3693060a5f803c5f1ddc082bb06b16112a9 (git) |
|
| Linux | Linux |
Affected:
3.13
Unaffected: 0 , < 3.13 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:27.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:04:23.226Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "628fb00195ce21a90cf9e4e3d105cd9e58f77b40",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "b89eb56a378b7b2c1176787fc228d0a57172bdd5",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "9b0915e72b3cf52474dcee0b24a2f99d93e604a3",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "d8ece4ced3b051e656c77180df2e69e19e24edc1",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "8cafd7266fa02e0863bacbf872fe635c0b9725eb",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "b55996939c71a3e1a38f3cdc6a8859797efc9083",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
},
{
"lessThan": "250cf3693060a5f803c5f1ddc082bb06b16112a9",
"status": "affected",
"version": "48a066e72d970a3e225a9c18690d570c736fc455",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock\n\n... or we risk stealing final mntput from sync umount - raising mnt_count\nafter umount(2) has verified that victim is not busy, but before it\nhas set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn\u0027t see\nthat it\u0027s safe to quietly undo mnt_count increment and leaves dropping\nthe reference to caller, where it\u0027ll be a full-blown mntput().\n\nCheck under mount_lock is needed; leaving the current one done before\ntaking that makes no sense - it\u0027s nowhere near common enough to bother\nwith."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:27.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/628fb00195ce21a90cf9e4e3d105cd9e58f77b40"
},
{
"url": "https://git.kernel.org/stable/c/b89eb56a378b7b2c1176787fc228d0a57172bdd5"
},
{
"url": "https://git.kernel.org/stable/c/f6d45fd92f62845cbd1eb5128fd8f0ed7d0c5a42"
},
{
"url": "https://git.kernel.org/stable/c/9b0915e72b3cf52474dcee0b24a2f99d93e604a3"
},
{
"url": "https://git.kernel.org/stable/c/d8ece4ced3b051e656c77180df2e69e19e24edc1"
},
{
"url": "https://git.kernel.org/stable/c/8cafd7266fa02e0863bacbf872fe635c0b9725eb"
},
{
"url": "https://git.kernel.org/stable/c/b55996939c71a3e1a38f3cdc6a8859797efc9083"
},
{
"url": "https://git.kernel.org/stable/c/250cf3693060a5f803c5f1ddc082bb06b16112a9"
}
],
"title": "__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38058",
"datePublished": "2025-06-18T09:33:38.022Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-05-12T12:04:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38061 (GCVE-0-2025-38061)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
Honour the user given buffer size for the strn_len() calls (otherwise
strn_len() will access memory outside of the user given buffer).
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a3d89f1cfe1e6d4bb164db2595511fd33db21900
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5bfa81539e22af4c40ae5d43d7212253462383a6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 128cdb617a87767c29be43e4431129942fce41df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ef1158a6a650ecee72ab40851b1d52e04d3f9cb5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c81c2ee1c3b050ed5c4e92876590cc7a259183f6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6b1d3e9db82d01a88de1795b879df67c2116b4f4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8fef258b555c75a467a6b4b7e3a3cbc46d5f4102 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 425e64440ad0a2f03bdaf04be0ae53dededbaa77 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:28.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/pktgen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3d89f1cfe1e6d4bb164db2595511fd33db21900",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5bfa81539e22af4c40ae5d43d7212253462383a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "128cdb617a87767c29be43e4431129942fce41df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ef1158a6a650ecee72ab40851b1d52e04d3f9cb5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c81c2ee1c3b050ed5c4e92876590cc7a259183f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b1d3e9db82d01a88de1795b879df67c2116b4f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8fef258b555c75a467a6b4b7e3a3cbc46d5f4102",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "425e64440ad0a2f03bdaf04be0ae53dededbaa77",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/pktgen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: pktgen: fix access outside of user given buffer in pktgen_thread_write()\n\nHonour the user given buffer size for the strn_len() calls (otherwise\nstrn_len() will access memory outside of the user given buffer)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:30.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3d89f1cfe1e6d4bb164db2595511fd33db21900"
},
{
"url": "https://git.kernel.org/stable/c/5bfa81539e22af4c40ae5d43d7212253462383a6"
},
{
"url": "https://git.kernel.org/stable/c/128cdb617a87767c29be43e4431129942fce41df"
},
{
"url": "https://git.kernel.org/stable/c/ef1158a6a650ecee72ab40851b1d52e04d3f9cb5"
},
{
"url": "https://git.kernel.org/stable/c/c81c2ee1c3b050ed5c4e92876590cc7a259183f6"
},
{
"url": "https://git.kernel.org/stable/c/6b1d3e9db82d01a88de1795b879df67c2116b4f4"
},
{
"url": "https://git.kernel.org/stable/c/8fef258b555c75a467a6b4b7e3a3cbc46d5f4102"
},
{
"url": "https://git.kernel.org/stable/c/425e64440ad0a2f03bdaf04be0ae53dededbaa77"
}
],
"title": "net: pktgen: fix access outside of user given buffer in pktgen_thread_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38061",
"datePublished": "2025-06-18T09:33:40.241Z",
"dateReserved": "2025-04-16T04:51:23.979Z",
"dateUpdated": "2026-05-11T21:20:30.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38065 (GCVE-0-2025-38065)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
orangefs: Do not truncate file size
Summary
In the Linux kernel, the following vulnerability has been resolved:
orangefs: Do not truncate file size
'len' is used to store the result of i_size_read(), so making 'len'
a size_t results in truncation to 4GiB on 32-bit systems.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < ceaf195ed285b77791e29016ee6344b3ded609b3
(git)
Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 341e3a5984cf5761f3dab16029d7e9fb1641d5ff (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 5111227d7f1f57f6804666b3abf780a23f44fc1d (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 15602508ad2f923e228b9521960b4addcd27d9c4 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 121f0335d91e46369bf55b5da4167d82b099a166 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < cd918ec24168fe08c6aafc077dd3b6d88364c5cf (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 2323b806221e6268a4e17711bc72e2fc87c191a3 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 062e8093592fb866b8e016641a8b27feb6ac509d (git) |
|
| Linux | Linux |
Affected:
4.6
Unaffected: 0 , < 4.6 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:32.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/orangefs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ceaf195ed285b77791e29016ee6344b3ded609b3",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "341e3a5984cf5761f3dab16029d7e9fb1641d5ff",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "5111227d7f1f57f6804666b3abf780a23f44fc1d",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "15602508ad2f923e228b9521960b4addcd27d9c4",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "121f0335d91e46369bf55b5da4167d82b099a166",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "cd918ec24168fe08c6aafc077dd3b6d88364c5cf",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "2323b806221e6268a4e17711bc72e2fc87c191a3",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "062e8093592fb866b8e016641a8b27feb6ac509d",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/orangefs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Do not truncate file size\n\n\u0027len\u0027 is used to store the result of i_size_read(), so making \u0027len\u0027\na size_t results in truncation to 4GiB on 32-bit systems."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:35.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ceaf195ed285b77791e29016ee6344b3ded609b3"
},
{
"url": "https://git.kernel.org/stable/c/341e3a5984cf5761f3dab16029d7e9fb1641d5ff"
},
{
"url": "https://git.kernel.org/stable/c/5111227d7f1f57f6804666b3abf780a23f44fc1d"
},
{
"url": "https://git.kernel.org/stable/c/15602508ad2f923e228b9521960b4addcd27d9c4"
},
{
"url": "https://git.kernel.org/stable/c/121f0335d91e46369bf55b5da4167d82b099a166"
},
{
"url": "https://git.kernel.org/stable/c/cd918ec24168fe08c6aafc077dd3b6d88364c5cf"
},
{
"url": "https://git.kernel.org/stable/c/2323b806221e6268a4e17711bc72e2fc87c191a3"
},
{
"url": "https://git.kernel.org/stable/c/062e8093592fb866b8e016641a8b27feb6ac509d"
}
],
"title": "orangefs: Do not truncate file size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38065",
"datePublished": "2025-06-18T09:33:44.048Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2026-05-11T21:20:35.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38066 (GCVE-0-2025-38066)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
dm cache: prevent BUG_ON by blocking retries on failed device resumes
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: prevent BUG_ON by blocking retries on failed device resumes
A cache device failing to resume due to mapping errors should not be
retried, as the failure leaves a partially initialized policy object.
Repeating the resume operation risks triggering BUG_ON when reloading
cache mappings into the incomplete policy object.
Reproduce steps:
1. create a cache metadata consisting of 512 or more cache blocks,
with some mappings stored in the first array block of the mapping
array. Here we use cache_restore v1.0 to build the metadata.
cat <<EOF >> cmeta.xml
<superblock uuid="" block_size="128" nr_cache_blocks="512" \
policy="smq" hint_width="4">
<mappings>
<mapping cache_block="0" origin_block="0" dirty="false"/>
</mappings>
</superblock>
EOF
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2
dmsetup remove cmeta
2. wipe the second array block of the mapping array to simulate
data degradations.
mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \
2>/dev/null | hexdump -e '1/8 "%u\n"')
ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \
2>/dev/null | hexdump -e '1/8 "%u\n"')
dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock
3. try bringing up the cache device. The resume is expected to fail
due to the broken array block.
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dmsetup create cache --notable
dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup resume cache
4. try resuming the cache again. An unexpected BUG_ON is triggered
while loading cache mappings.
dmsetup resume cache
Kernel logs:
(snip)
------------[ cut here ]------------
kernel BUG at drivers/md/dm-cache-policy-smq.c:752!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3
RIP: 0010:smq_load_mapping+0x3e5/0x570
Fix by disallowing resume operations for devices that failed the
initial attempt.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
66a636356647a9be8885c2ce2948de126577698a , < c614584c2a66b538f469089ac089457a34590c14
(git)
Affected: 66a636356647a9be8885c2ce2948de126577698a , < c5356a5e80442131e2714d0d26bb110590e4e568 (git) Affected: 66a636356647a9be8885c2ce2948de126577698a , < 025c8f477625eb39006ded650e7d027bcfb20e79 (git) Affected: 66a636356647a9be8885c2ce2948de126577698a , < 00586b78eeb7c626a14ca13453a1631f88a7cf36 (git) Affected: 66a636356647a9be8885c2ce2948de126577698a , < 3986ef4a9b6a0d9c28bc325d8713beba5e67586f (git) Affected: 66a636356647a9be8885c2ce2948de126577698a , < cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0 (git) Affected: 66a636356647a9be8885c2ce2948de126577698a , < f3128e3074e8af565cc6a66fe3384a56df87f803 (git) Affected: 66a636356647a9be8885c2ce2948de126577698a , < 5da692e2262b8f81993baa9592f57d12c2703dea (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:34.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c614584c2a66b538f469089ac089457a34590c14",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "c5356a5e80442131e2714d0d26bb110590e4e568",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "025c8f477625eb39006ded650e7d027bcfb20e79",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "00586b78eeb7c626a14ca13453a1631f88a7cf36",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "3986ef4a9b6a0d9c28bc325d8713beba5e67586f",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "f3128e3074e8af565cc6a66fe3384a56df87f803",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
},
{
"lessThan": "5da692e2262b8f81993baa9592f57d12c2703dea",
"status": "affected",
"version": "66a636356647a9be8885c2ce2948de126577698a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: prevent BUG_ON by blocking retries on failed device resumes\n\nA cache device failing to resume due to mapping errors should not be\nretried, as the failure leaves a partially initialized policy object.\nRepeating the resume operation risks triggering BUG_ON when reloading\ncache mappings into the incomplete policy object.\n\nReproduce steps:\n\n1. create a cache metadata consisting of 512 or more cache blocks,\n with some mappings stored in the first array block of the mapping\n array. Here we use cache_restore v1.0 to build the metadata.\n\ncat \u003c\u003cEOF \u003e\u003e cmeta.xml\n\u003csuperblock uuid=\"\" block_size=\"128\" nr_cache_blocks=\"512\" \\\npolicy=\"smq\" hint_width=\"4\"\u003e\n \u003cmappings\u003e\n \u003cmapping cache_block=\"0\" origin_block=\"0\" dirty=\"false\"/\u003e\n \u003c/mappings\u003e\n\u003c/superblock\u003e\nEOF\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2\ndmsetup remove cmeta\n\n2. wipe the second array block of the mapping array to simulate\n data degradations.\n\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2\u003e/dev/null | hexdump -e \u00271/8 \"%u\\n\"\u0027)\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2\u003e/dev/null | hexdump -e \u00271/8 \"%u\\n\"\u0027)\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try bringing up the cache device. The resume is expected to fail\n due to the broken array block.\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndmsetup create cache --notable\ndmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup resume cache\n\n4. try resuming the cache again. An unexpected BUG_ON is triggered\n while loading cache mappings.\n\ndmsetup resume cache\n\nKernel logs:\n\n(snip)\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-cache-policy-smq.c:752!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3\nRIP: 0010:smq_load_mapping+0x3e5/0x570\n\nFix by disallowing resume operations for devices that failed the\ninitial attempt."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:36.681Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14"
},
{
"url": "https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568"
},
{
"url": "https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79"
},
{
"url": "https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36"
},
{
"url": "https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f"
},
{
"url": "https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0"
},
{
"url": "https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803"
},
{
"url": "https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea"
}
],
"title": "dm cache: prevent BUG_ON by blocking retries on failed device resumes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38066",
"datePublished": "2025-06-18T09:33:44.877Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2026-05-11T21:20:36.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38068 (GCVE-0-2025-38068)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
crypto: lzo - Fix compression buffer overrun
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: lzo - Fix compression buffer overrun
Unlike the decompression code, the compression code in LZO never
checked for output overruns. It instead assumes that the caller
always provides enough buffer space, disregarding the buffer length
provided by the caller.
Add a safe compression interface that checks for the end of buffer
before each write. Use the safe interface in crypto/lzo.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
64c70b1cf43de158282bc1675918d503e5b15cc1 , < 4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111
(git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < a98bd864e16f91c70b2469adf013d713d04d1d13 (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 7caad075acb634a74911830d6386c50ea12566cd (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 167373d77c70c2b558aae3e327b115249bb2652c (git) Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < cc47f07234f72cbd8e2c973cdbf2a6730660a463 (git) |
|
| Linux | Linux |
Affected:
2.6.23
Unaffected: 0 , < 2.6.23 (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:37.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/lzo-rle.c",
"crypto/lzo.c",
"include/linux/lzo.h",
"lib/lzo/Makefile",
"lib/lzo/lzo1x_compress.c",
"lib/lzo/lzo1x_compress_safe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "a98bd864e16f91c70b2469adf013d713d04d1d13",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "7caad075acb634a74911830d6386c50ea12566cd",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "167373d77c70c2b558aae3e327b115249bb2652c",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
},
{
"lessThan": "cc47f07234f72cbd8e2c973cdbf2a6730660a463",
"status": "affected",
"version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/lzo-rle.c",
"crypto/lzo.c",
"include/linux/lzo.h",
"lib/lzo/Makefile",
"lib/lzo/lzo1x_compress.c",
"lib/lzo/lzo1x_compress_safe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lzo - Fix compression buffer overrun\n\nUnlike the decompression code, the compression code in LZO never\nchecked for output overruns. It instead assumes that the caller\nalways provides enough buffer space, disregarding the buffer length\nprovided by the caller.\n\nAdd a safe compression interface that checks for the end of buffer\nbefore each write. Use the safe interface in crypto/lzo."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:39.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111"
},
{
"url": "https://git.kernel.org/stable/c/a98bd864e16f91c70b2469adf013d713d04d1d13"
},
{
"url": "https://git.kernel.org/stable/c/0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a"
},
{
"url": "https://git.kernel.org/stable/c/7caad075acb634a74911830d6386c50ea12566cd"
},
{
"url": "https://git.kernel.org/stable/c/167373d77c70c2b558aae3e327b115249bb2652c"
},
{
"url": "https://git.kernel.org/stable/c/cc47f07234f72cbd8e2c973cdbf2a6730660a463"
}
],
"title": "crypto: lzo - Fix compression buffer overrun",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38068",
"datePublished": "2025-06-18T09:33:46.125Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2026-05-11T21:20:39.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38072 (GCVE-0-2025-38072)
Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-05-11 21:20
VLAI
EPSS
Title
libnvdimm/labels: Fix divide error in nd_label_data_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
libnvdimm/labels: Fix divide error in nd_label_data_init()
If a faulty CXL memory device returns a broken zero LSA size in its
memory device information (Identify Memory Device (Opcode 4000h), CXL
spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm
driver:
Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm]
Code and flow:
1) CXL Command 4000h returns LSA size = 0
2) config_size is assigned to zero LSA size (CXL pmem driver):
drivers/cxl/pmem.c: .config_size = mds->lsa_size,
3) max_xfer is set to zero (nvdimm driver):
drivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd->nsarea.max_xfer, config_size);
4) A subsequent DIV_ROUND_UP() causes a division by zero:
drivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */
drivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer,
drivers/nvdimm/label.c- config_size);
Fix this by checking the config size parameter by extending an
existing check.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < 2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca
(git)
Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < 396c46d3f59a18ebcc500640e749f16e197d472b (git) Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < f49c337037df029440a8390380dd35d2cf5924d3 (git) Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < db1aef51b8e66a77f76b1250b914589c31a0a0ed (git) Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < ea3d95e05e97ea20fd6513f647393add16fce3b2 (git) Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < 1d1e1efad1cf049e888bf175a5c6be85d792620c (git) Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < e14347f647ca6d76fe1509b6703e340f2d5e2716 (git) Affected: 7d47aad4570e5e6e9a8162bb417ca9b74132f27c , < ef1d3455bbc1922f94a91ed58d3d7db440652959 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.4.294 , ≤ 5.4.* (semver) Unaffected: 5.10.238 , ≤ 5.10.* (semver) Unaffected: 5.15.185 , ≤ 5.15.* (semver) Unaffected: 6.1.141 , ≤ 6.1.* (semver) Unaffected: 6.6.93 , ≤ 6.6.* (semver) Unaffected: 6.12.31 , ≤ 6.12.* (semver) Unaffected: 6.14.9 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:40.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/label.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "396c46d3f59a18ebcc500640e749f16e197d472b",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "f49c337037df029440a8390380dd35d2cf5924d3",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "db1aef51b8e66a77f76b1250b914589c31a0a0ed",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "ea3d95e05e97ea20fd6513f647393add16fce3b2",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "1d1e1efad1cf049e888bf175a5c6be85d792620c",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "e14347f647ca6d76fe1509b6703e340f2d5e2716",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
},
{
"lessThan": "ef1d3455bbc1922f94a91ed58d3d7db440652959",
"status": "affected",
"version": "7d47aad4570e5e6e9a8162bb417ca9b74132f27c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/label.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.185",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.31",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.9",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibnvdimm/labels: Fix divide error in nd_label_data_init()\n\nIf a faulty CXL memory device returns a broken zero LSA size in its\nmemory device information (Identify Memory Device (Opcode 4000h), CXL\nspec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm\ndriver:\n\n Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm]\n\nCode and flow:\n\n1) CXL Command 4000h returns LSA size = 0\n2) config_size is assigned to zero LSA size (CXL pmem driver):\n\ndrivers/cxl/pmem.c: .config_size = mds-\u003elsa_size,\n\n3) max_xfer is set to zero (nvdimm driver):\n\ndrivers/nvdimm/label.c: max_xfer = min_t(size_t, ndd-\u003ensarea.max_xfer, config_size);\n\n4) A subsequent DIV_ROUND_UP() causes a division by zero:\n\ndrivers/nvdimm/label.c: /* Make our initial read size a multiple of max_xfer size */\ndrivers/nvdimm/label.c: read_size = min(DIV_ROUND_UP(read_size, max_xfer) * max_xfer,\ndrivers/nvdimm/label.c- config_size);\n\nFix this by checking the config size parameter by extending an\nexisting check."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:20:43.703Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca"
},
{
"url": "https://git.kernel.org/stable/c/396c46d3f59a18ebcc500640e749f16e197d472b"
},
{
"url": "https://git.kernel.org/stable/c/f49c337037df029440a8390380dd35d2cf5924d3"
},
{
"url": "https://git.kernel.org/stable/c/db1aef51b8e66a77f76b1250b914589c31a0a0ed"
},
{
"url": "https://git.kernel.org/stable/c/ea3d95e05e97ea20fd6513f647393add16fce3b2"
},
{
"url": "https://git.kernel.org/stable/c/1d1e1efad1cf049e888bf175a5c6be85d792620c"
},
{
"url": "https://git.kernel.org/stable/c/e14347f647ca6d76fe1509b6703e340f2d5e2716"
},
{
"url": "https://git.kernel.org/stable/c/ef1d3455bbc1922f94a91ed58d3d7db440652959"
}
],
"title": "libnvdimm/labels: Fix divide error in nd_label_data_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38072",
"datePublished": "2025-06-18T09:33:48.666Z",
"dateReserved": "2025-04-16T04:51:23.980Z",
"dateUpdated": "2026-05-11T21:20:43.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…