Vulnerability-Lookup

CERTFR-2025-AVI-0825

Vulnerability from certfr_avis - Published: 2025-09-26 - Updated: 2025-09-26

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian trixie versions antérieures à 6.12.48-1
	Debian	Debian	Debian bookworm versions antérieures à 6.1.153-1

References

Title

Publication Time

CVE-2025-39681 (GCVE-0-2025-39681)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale. Add the missing resctrl_cpu_detect() in the Hygon BSP init helper. [ bp: Massage commit message. ]

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/62f12cde101182533…
https://git.kernel.org/stable/c/873f32201df8876bd…
https://git.kernel.org/stable/c/fb81222c1559f89bf…
https://git.kernel.org/stable/c/7207923d8453ebfb3…
https://git.kernel.org/stable/c/a9e5924daa954c9f5…
https://git.kernel.org/stable/c/d23264c257a70dbe0…
https://git.kernel.org/stable/c/d8df126349dad855c…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 62f12cde10118253348a7540e85606869bd69432 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 873f32201df8876bdb2563e3187e79149427cab4 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < fb81222c1559f89bfe3aa1010f6d112531d55353 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < 7207923d8453ebfb35667c1736169f2dd796772e (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < a9e5924daa954c9f585c1ca00358afe71d6781c4 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < d23264c257a70dbe021b43b3bc2ee16134cd2c69 (git) Affected: 923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9 , < d8df126349dad855cdfedd6bbf315bad2e901c2f (git)
Linux	Linux	Affected: 5.8 Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.242 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:12.739Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:07.711Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/hygon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "62f12cde10118253348a7540e85606869bd69432",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "873f32201df8876bdb2563e3187e79149427cab4",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "fb81222c1559f89bfe3aa1010f6d112531d55353",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "7207923d8453ebfb35667c1736169f2dd796772e",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "a9e5924daa954c9f585c1ca00358afe71d6781c4",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "d23264c257a70dbe021b43b3bc2ee16134cd2c69",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            },
            {
              "lessThan": "d8df126349dad855cdfedd6bbf315bad2e901c2f",
              "status": "affected",
              "version": "923f3a2b48bdccb6a1d1f0dd48de03de7ad936d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/hygon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.242",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.242",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper\n\nSince\n\n  923f3a2b48bd (\"x86/resctrl: Query LLC monitoring properties once during boot\")\n\nresctrl_cpu_detect() has been moved from common CPU initialization code to\nthe vendor-specific BSP init helper, while Hygon didn\u0027t put that call in their\ncode.\n\nThis triggers a division by zero fault during early booting stage on our\nmachines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries\nto calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.\n\nAdd the missing resctrl_cpu_detect() in the Hygon BSP init helper.\n\n  [ bp: Massage commit message. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:11.780Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/62f12cde10118253348a7540e85606869bd69432"
        },
        {
          "url": "https://git.kernel.org/stable/c/873f32201df8876bdb2563e3187e79149427cab4"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb81222c1559f89bfe3aa1010f6d112531d55353"
        },
        {
          "url": "https://git.kernel.org/stable/c/7207923d8453ebfb35667c1736169f2dd796772e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9e5924daa954c9f585c1ca00358afe71d6781c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d23264c257a70dbe021b43b3bc2ee16134cd2c69"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8df126349dad855cdfedd6bbf315bad2e901c2f"
        }
      ],
      "title": "x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39681",
    "datePublished": "2025-09-05T17:20:47.564Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:07.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39682 (GCVE-0-2025-39682)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

tls: fix handling of zero-length records on the rx_list

Summary

In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/2902c3ebcca52ca84…
https://git.kernel.org/stable/c/c09dd3773b5950e9c…
https://git.kernel.org/stable/c/3439c15ae91a517cf…
https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d…
https://git.kernel.org/stable/c/62708b9452f8eb775…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 2902c3ebcca52ca845c03182000e8d71d3a5196f (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 3439c15ae91a517cf3c650ea15a8987699416ad9 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 62708b9452f8eb77513115b17c4f8d1a22ebf843 (git)
Linux	Linux	Affected: 6.0 Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:13.673Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:08.852Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2902c3ebcca52ca845c03182000e8d71d3a5196f",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "3439c15ae91a517cf3c650ea15a8987699416ad9",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            },
            {
              "lessThan": "62708b9452f8eb77513115b17c4f8d1a22ebf843",
              "status": "affected",
              "version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tls/tls_sw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix handling of zero-length records on the rx_list\n\nEach recvmsg() call must process either\n - only contiguous DATA records (any number of them)\n - one non-DATA record\n\nIf the next record has different type than what has already been\nprocessed we break out of the main processing loop. If the record\nhas already been decrypted (which may be the case for TLS 1.3 where\nwe don\u0027t know type until decryption) we queue the pending record\nto the rx_list. Next recvmsg() will pick it up from there.\n\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\nsince in that case we decrypted directly to the user space buffer,\nand we don\u0027t have an skb to queue (darg.skb points to the ciphertext\nskb for access to metadata like length).\n\nOnly data records are allowed zero-copy, and we break the processing\nloop after each non-data record. So we should never zero-copy and\nthen find out that the record type has changed. The corner case\nwe missed is when the initial record comes from rx_list, and it\u0027s\nzero length."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:12.968Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2902c3ebcca52ca845c03182000e8d71d3a5196f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677"
        },
        {
          "url": "https://git.kernel.org/stable/c/3439c15ae91a517cf3c650ea15a8987699416ad9"
        },
        {
          "url": "https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e"
        },
        {
          "url": "https://git.kernel.org/stable/c/62708b9452f8eb77513115b17c4f8d1a22ebf843"
        }
      ],
      "title": "tls: fix handling of zero-length records on the rx_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39682",
    "datePublished": "2025-09-05T17:20:48.657Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:08.852Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39683 (GCVE-0-2025-39683)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-23 16:00

Title

tracing: Limit access to parser->buffer when trace_get_user failed

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0 The reason is that trace_get_user will fail when processing a string longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftrace_regex_release-> ftrace_process_regex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when trace_get_user failed.

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/b842ef39c2ad6156c…
https://git.kernel.org/stable/c/41b838420457802f2…
https://git.kernel.org/stable/c/418b448e1d7470da9…
https://git.kernel.org/stable/c/58ff8064cb4c7edda…
https://git.kernel.org/stable/c/d0c68045b8b0f3737…
https://git.kernel.org/stable/c/3079517a5ba80901f…
https://git.kernel.org/stable/c/6a909ea83f226803e…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

6 products

Vendor	Product	Version
Linux	Linux	Affected: 634684d79733124f7470b226b0f42aada4426b07 , < b842ef39c2ad6156c13afdec25ecc6792a9b67b9 (git) Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 41b838420457802f21918df66764b6fbf829d330 (git) Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 418b448e1d7470da9d4d4797f71782595ee69c49 (git) Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 58ff8064cb4c7eddac4da1a59da039ead586950a (git) Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < d0c68045b8b0f3737ed7bd6b8c83b7887014adee (git) Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 3079517a5ba80901fe828a06998da64b9b8749be (git) Affected: 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 , < 6a909ea83f226803ea0e718f6e88613df9234d58 (git) Affected: 24cd31752f47699b89b4b3471155c8e599a1a23a (git) Affected: e9cb474de7ff7a970c2a3951c12ec7e3113c0c35 (git) Affected: 6ab671191f64b0da7d547e2ad4dc199ca7e5b558 (git) Affected: 3d9281a4ac7171c808f9507f0937eb236b353905 (git) Affected: 0b641b25870f02e2423e494365fc5243cc1e2759 (git) Affected: ffd51dbfd2900e50c71b5c069fe407957e52d61f (git) Affected: cdd107d7f18158d966c2bc136204fe826dac445c (git) Affected: 5.10.36 , < 5.10.241 (semver) Affected: 4.4.269 , < 4.5 (semver) Affected: 4.9.269 , < 4.10 (semver) Affected: 4.14.233 , < 4.15 (semver) Affected: 4.19.191 , < 4.20 (semver) Affected: 5.4.118 , < 5.5 (semver) Affected: 5.11.20 , < 5.12 (semver) Affected: 5.12.3 , < 5.13 (semver)
Linux	Linux	Affected: 5.13 Unaffected: 0 , < 5.13 (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:15.575Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:10.108Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c",
            "kernel/trace/trace.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b842ef39c2ad6156c13afdec25ecc6792a9b67b9",
              "status": "affected",
              "version": "634684d79733124f7470b226b0f42aada4426b07",
              "versionType": "git"
            },
            {
              "lessThan": "41b838420457802f21918df66764b6fbf829d330",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "418b448e1d7470da9d4d4797f71782595ee69c49",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "58ff8064cb4c7eddac4da1a59da039ead586950a",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "d0c68045b8b0f3737ed7bd6b8c83b7887014adee",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "3079517a5ba80901fe828a06998da64b9b8749be",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "lessThan": "6a909ea83f226803ea0e718f6e88613df9234d58",
              "status": "affected",
              "version": "8c9af478c06bb1ab1422f90d8ecbc53defd44bc3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "24cd31752f47699b89b4b3471155c8e599a1a23a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e9cb474de7ff7a970c2a3951c12ec7e3113c0c35",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6ab671191f64b0da7d547e2ad4dc199ca7e5b558",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3d9281a4ac7171c808f9507f0937eb236b353905",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0b641b25870f02e2423e494365fc5243cc1e2759",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ffd51dbfd2900e50c71b5c069fe407957e52d61f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cdd107d7f18158d966c2bc136204fe826dac445c",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.241",
              "status": "affected",
              "version": "5.10.36",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.269",
              "versionType": "semver"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.269",
              "versionType": "semver"
            },
            {
              "lessThan": "4.15",
              "status": "affected",
              "version": "4.14.233",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.191",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.118",
              "versionType": "semver"
            },
            {
              "lessThan": "5.12",
              "status": "affected",
              "version": "5.11.20",
              "versionType": "semver"
            },
            {
              "lessThan": "5.13",
              "status": "affected",
              "version": "5.12.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace.c",
            "kernel/trace/trace.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.269",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.269",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.233",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.191",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.118",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Limit access to parser-\u003ebuffer when trace_get_user failed\n\nWhen the length of the string written to set_ftrace_filter exceeds\nFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:\n\nBUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0\nRead of size 1 at addr ffff0000d00bd5ba by task ash/165\n\nCPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty\nHardware name: linux,dummy-virt (DT)\nCall trace:\n show_stack+0x34/0x50 (C)\n dump_stack_lvl+0xa0/0x158\n print_address_description.constprop.0+0x88/0x398\n print_report+0xb0/0x280\n kasan_report+0xa4/0xf0\n __asan_report_load1_noabort+0x20/0x30\n strsep+0x18c/0x1b0\n ftrace_process_regex.isra.0+0x100/0x2d8\n ftrace_regex_release+0x484/0x618\n __fput+0x364/0xa58\n ____fput+0x28/0x40\n task_work_run+0x154/0x278\n do_notify_resume+0x1f0/0x220\n el0_svc+0xec/0xf0\n el0t_64_sync_handler+0xa0/0xe8\n el0t_64_sync+0x1ac/0x1b0\n\nThe reason is that trace_get_user will fail when processing a string\nlonger than FTRACE_BUFF_MAX, but not set the end of parser-\u003ebuffer to 0.\nThen an OOB access will be triggered in ftrace_regex_release-\u003e\nftrace_process_regex-\u003estrsep-\u003estrpbrk. We can solve this problem by\nlimiting access to parser-\u003ebuffer when trace_get_user failed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:00:29.672Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b842ef39c2ad6156c13afdec25ecc6792a9b67b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/41b838420457802f21918df66764b6fbf829d330"
        },
        {
          "url": "https://git.kernel.org/stable/c/418b448e1d7470da9d4d4797f71782595ee69c49"
        },
        {
          "url": "https://git.kernel.org/stable/c/58ff8064cb4c7eddac4da1a59da039ead586950a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0c68045b8b0f3737ed7bd6b8c83b7887014adee"
        },
        {
          "url": "https://git.kernel.org/stable/c/3079517a5ba80901fe828a06998da64b9b8749be"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a909ea83f226803ea0e718f6e88613df9234d58"
        }
      ],
      "title": "tracing: Limit access to parser-\u003ebuffer when trace_get_user failed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39683",
    "datePublished": "2025-09-05T17:20:49.821Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-23T16:00:29.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39684 (GCVE-0-2025-39684)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/868a1b68dcd9f2805…
https://git.kernel.org/stable/c/ff4a7c18799c7fe99…
https://git.kernel.org/stable/c/d84f6e77ebe335939…
https://git.kernel.org/stable/c/f3b0c9ec54736f3b8…
https://git.kernel.org/stable/c/aecf0d557ddd95ce6…
https://git.kernel.org/stable/c/3cd212e895ca2d589…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 868a1b68dcd9f2805bb86aa64862402f785d8c4a (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < ff4a7c18799c7fe999fa56c5cf276e13866b8c1a (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < d84f6e77ebe3359394df32ecd97e0d76a25283dc (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < f3b0c9ec54736f3b8118f93a473d22e11ee65743 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < aecf0d557ddd95ce68193a5ee1dc4c87415ff08a (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 3cd212e895ca2d58963fdc6422502b10dd3966bb (git)
Linux	Linux	Affected: 2.6.29 Unaffected: 0 , < 2.6.29 (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:16.502Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:11.333Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "868a1b68dcd9f2805bb86aa64862402f785d8c4a",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "ff4a7c18799c7fe999fa56c5cf276e13866b8c1a",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "d84f6e77ebe3359394df32ecd97e0d76a25283dc",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "f3b0c9ec54736f3b8118f93a473d22e11ee65743",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "aecf0d557ddd95ce68193a5ee1dc4c87415ff08a",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "3cd212e895ca2d58963fdc6422502b10dd3966bb",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()\n\nsyzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`.  A kernel\nbuffer is allocated to hold `insn-\u003en` samples (each of which is an\n`unsigned int`).  For some instruction types, `insn-\u003en` samples are\ncopied back to user-space, unless an error code is being returned.  The\nproblem is that not all the instruction handlers that need to return\ndata to userspace fill in the whole `insn-\u003en` samples, so that there is\nan information leak.  There is a similar syzbot report for\n`do_insnlist_ioctl()`, although it does not have a reproducer for it at\nthe time of writing.\n\nOne culprit is `insn_rw_emulate_bits()` which is used as the handler for\n`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have\na specific handler for that instruction, but do have an `INSN_BITS`\nhandler.  For `INSN_READ` it only fills in at most 1 sample, so if\n`insn-\u003en` is greater than 1, the remaining `insn-\u003en - 1` samples copied\nto userspace will be uninitialized kernel data.\n\nAnother culprit is `vm80xx_ai_insn_read()` in the \"vm80xx\" driver.  It\nnever returns an error, even if it fails to fill the buffer.\n\nFix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure\nthat uninitialized parts of the allocated buffer are zeroed before\nhandling each instruction.\n\nThanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`.  That fix\nreplaced the call to `kmalloc_array()` with `kcalloc()`, but it is not\nalways necessary to clear the whole buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:15.439Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/868a1b68dcd9f2805bb86aa64862402f785d8c4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff4a7c18799c7fe999fa56c5cf276e13866b8c1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d84f6e77ebe3359394df32ecd97e0d76a25283dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3b0c9ec54736f3b8118f93a473d22e11ee65743"
        },
        {
          "url": "https://git.kernel.org/stable/c/aecf0d557ddd95ce68193a5ee1dc4c87415ff08a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cd212e895ca2d58963fdc6422502b10dd3966bb"
        }
      ],
      "title": "comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39684",
    "datePublished": "2025-09-05T17:20:50.827Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:11.333Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39685 (GCVE-0-2025-39685)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

comedi: pcl726: Prevent invalid irq number

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. The old code would just not attempt to request the IRQ if the `options[1]` value were invalid. And it would still configure the device without interrupts even if the call to `request_irq` returned an error. So it would be better to combine this test with the test below.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/bab220b0bb5af6520…
https://git.kernel.org/stable/c/5a33d07c94ba91306…
https://git.kernel.org/stable/c/0eb4ed2aa261dee22…
https://git.kernel.org/stable/c/a3cfcd0c78c80ca7c…
https://git.kernel.org/stable/c/d8992c9a01f81128f…
https://git.kernel.org/stable/c/96cb948408b3adb69…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: fff46207245cd9e39c05b638afaee2478e64914b , < bab220b0bb5af652007e278e8e8357f952b0e1ea (git) Affected: fff46207245cd9e39c05b638afaee2478e64914b , < 5a33d07c94ba91306093e823112a7aa9727549f6 (git) Affected: fff46207245cd9e39c05b638afaee2478e64914b , < 0eb4ed2aa261dee228f1668dbfa6d87353e8162d (git) Affected: fff46207245cd9e39c05b638afaee2478e64914b , < a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6 (git) Affected: fff46207245cd9e39c05b638afaee2478e64914b , < d8992c9a01f81128f36acb7c5755530e21fcd059 (git) Affected: fff46207245cd9e39c05b638afaee2478e64914b , < 96cb948408b3adb69df7e451ba7da9d21f814d00 (git)
Linux	Linux	Affected: 3.13 Unaffected: 0 , < 3.13 (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:17.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:12.481Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/pcl726.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bab220b0bb5af652007e278e8e8357f952b0e1ea",
              "status": "affected",
              "version": "fff46207245cd9e39c05b638afaee2478e64914b",
              "versionType": "git"
            },
            {
              "lessThan": "5a33d07c94ba91306093e823112a7aa9727549f6",
              "status": "affected",
              "version": "fff46207245cd9e39c05b638afaee2478e64914b",
              "versionType": "git"
            },
            {
              "lessThan": "0eb4ed2aa261dee228f1668dbfa6d87353e8162d",
              "status": "affected",
              "version": "fff46207245cd9e39c05b638afaee2478e64914b",
              "versionType": "git"
            },
            {
              "lessThan": "a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6",
              "status": "affected",
              "version": "fff46207245cd9e39c05b638afaee2478e64914b",
              "versionType": "git"
            },
            {
              "lessThan": "d8992c9a01f81128f36acb7c5755530e21fcd059",
              "status": "affected",
              "version": "fff46207245cd9e39c05b638afaee2478e64914b",
              "versionType": "git"
            },
            {
              "lessThan": "96cb948408b3adb69df7e451ba7da9d21f814d00",
              "status": "affected",
              "version": "fff46207245cd9e39c05b638afaee2478e64914b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/pcl726.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl726: Prevent invalid irq number\n\nThe reproducer passed in an irq number(0x80008000) that was too large,\nwhich triggered the oob.\n\nAdded an interrupt number check to prevent users from passing in an irq\nnumber that was too large.\n\nIf `it-\u003eoptions[1]` is 31, then `1 \u003c\u003c it-\u003eoptions[1]` is still invalid\nbecause it shifts a 1-bit into the sign bit (which is UB in C).\nPossible solutions include reducing the upper bound on the\n`it-\u003eoptions[1]` value to 30 or lower, or using `1U \u003c\u003c it-\u003eoptions[1]`.\n\nThe old code would just not attempt to request the IRQ if the\n`options[1]` value were invalid.  And it would still configure the\ndevice without interrupts even if the call to `request_irq` returned an\nerror.  So it would be better to combine this test with the test below."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:16.653Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bab220b0bb5af652007e278e8e8357f952b0e1ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a33d07c94ba91306093e823112a7aa9727549f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eb4ed2aa261dee228f1668dbfa6d87353e8162d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3cfcd0c78c80ca7cd80372dc28f77d01be57bf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8992c9a01f81128f36acb7c5755530e21fcd059"
        },
        {
          "url": "https://git.kernel.org/stable/c/96cb948408b3adb69df7e451ba7da9d21f814d00"
        }
      ],
      "title": "comedi: pcl726: Prevent invalid irq number",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39685",
    "datePublished": "2025-09-05T17:20:51.954Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:12.481Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39686 (GCVE-0-2025-39686)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

comedi: Make insn_rw_emulate_bits() do insn->n samples

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/ab77e85bd3bc006ef…
https://git.kernel.org/stable/c/ae8bc1f07bcb31b86…
https://git.kernel.org/stable/c/842f307a1d115b24f…
https://git.kernel.org/stable/c/92352ed2f9ac42218…
https://git.kernel.org/stable/c/dc0a2f142d655700d…
https://git.kernel.org/stable/c/7afba9221f70d4cbc…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < ab77e85bd3bc006ef40738f26f446a660813da44 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 842f307a1d115b24f2bcb2415c4e344f11f55930 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 92352ed2f9ac422181e381c2430c2d0dfb46faa0 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < dc0a2f142d655700db43de90cb6abf141b73d908 (git) Affected: ed9eccbe8970f6eedc1b978c157caf1251a896d4 , < 7afba9221f70d4cbce0f417c558879cba0eb5e66 (git)
Linux	Linux	Affected: 2.6.29 Unaffected: 0 , < 2.6.29 (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:18.407Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:13.615Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab77e85bd3bc006ef40738f26f446a660813da44",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "842f307a1d115b24f2bcb2415c4e344f11f55930",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "92352ed2f9ac422181e381c2430c2d0dfb46faa0",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "dc0a2f142d655700db43de90cb6abf141b73d908",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            },
            {
              "lessThan": "7afba9221f70d4cbce0f417c558879cba0eb5e66",
              "status": "affected",
              "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Make insn_rw_emulate_bits() do insn-\u003en samples\n\nThe `insn_rw_emulate_bits()` function is used as a default handler for\n`INSN_READ` instructions for subdevices that have a handler for\n`INSN_BITS` but not for `INSN_READ`.  Similarly, it is used as a default\nhandler for `INSN_WRITE` instructions for subdevices that have a handler\nfor `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the\n`INSN_READ` or `INSN_WRITE` instruction handling with a constructed\n`INSN_BITS` instruction.  However, `INSN_READ` and `INSN_WRITE`\ninstructions are supposed to be able read or write multiple samples,\nindicated by the `insn-\u003en` value, but `insn_rw_emulate_bits()` currently\nonly handles a single sample.  For `INSN_READ`, the comedi core will\ncopy `insn-\u003en` samples back to user-space.  (That triggered KASAN\nkernel-infoleak errors when `insn-\u003en` was greater than 1, but that is\nbeing fixed more generally elsewhere in the comedi core.)\n\nMake `insn_rw_emulate_bits()` either handle `insn-\u003en` samples, or return\nan error, to conform to the general expectation for `INSN_READ` and\n`INSN_WRITE` handlers."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:17.797Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab77e85bd3bc006ef40738f26f446a660813da44"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae8bc1f07bcb31b8636420e03d1f9c3df6219a2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/842f307a1d115b24f2bcb2415c4e344f11f55930"
        },
        {
          "url": "https://git.kernel.org/stable/c/92352ed2f9ac422181e381c2430c2d0dfb46faa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc0a2f142d655700db43de90cb6abf141b73d908"
        },
        {
          "url": "https://git.kernel.org/stable/c/7afba9221f70d4cbce0f417c558879cba0eb5e66"
        }
      ],
      "title": "comedi: Make insn_rw_emulate_bits() do insn-\u003en samples",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39686",
    "datePublished": "2025-09-05T17:20:53.071Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:13.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39687 (GCVE-0-2025-39687)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

iio: light: as73211: Ensure buffer holes are zeroed

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it.

Severity

No CVSS data available.

Assigner

Linux

References

10 references

URL	Tags
https://git.kernel.org/stable/c/fd441fd972067f808…
https://git.kernel.org/stable/c/d8c5d87a431596e0e…
https://git.kernel.org/stable/c/83f14c4ca1ad78fcf…
https://git.kernel.org/stable/c/99b508340d0d1b9de…
https://git.kernel.org/stable/c/cce55ca4e7a221d5e…
https://git.kernel.org/stable/c/8acd9a0eaa8c9a28e…
https://git.kernel.org/stable/c/433b99e922943efdf…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < fd441fd972067f80861a0b66605c0febb0d038dd (git) Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < d8c5d87a431596e0e02bd7fe3bff952b002a03bb (git) Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < 83f14c4ca1ad78fcfb3e0de07d6d8a0c59550fc2 (git) Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < 99b508340d0d1b9de0856c48c77898b14c0df7cf (git) Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < cce55ca4e7a221d5eb2c0b757a868eacd6344e4a (git) Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < 8acd9a0eaa8c9a28e385c0a6a56bb821cb549771 (git) Affected: 403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e , < 433b99e922943efdfd62b9a8e3ad1604838181f2 (git)
Linux	Linux	Affected: 5.10 Unaffected: 0 , < 5.10 (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:20.271Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:14.761Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/as73211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd441fd972067f80861a0b66605c0febb0d038dd",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            },
            {
              "lessThan": "d8c5d87a431596e0e02bd7fe3bff952b002a03bb",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            },
            {
              "lessThan": "83f14c4ca1ad78fcfb3e0de07d6d8a0c59550fc2",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            },
            {
              "lessThan": "99b508340d0d1b9de0856c48c77898b14c0df7cf",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            },
            {
              "lessThan": "cce55ca4e7a221d5eb2c0b757a868eacd6344e4a",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            },
            {
              "lessThan": "8acd9a0eaa8c9a28e385c0a6a56bb821cb549771",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            },
            {
              "lessThan": "433b99e922943efdfd62b9a8e3ad1604838181f2",
              "status": "affected",
              "version": "403e5586b52e466893ce3a7b7f3a3ecdc4c82d3e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/as73211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: as73211: Ensure buffer holes are zeroed\n\nGiven that the buffer is copied to a kfifo that ultimately user space\ncan read, ensure we zero it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:18.962Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd441fd972067f80861a0b66605c0febb0d038dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8c5d87a431596e0e02bd7fe3bff952b002a03bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/83f14c4ca1ad78fcfb3e0de07d6d8a0c59550fc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/99b508340d0d1b9de0856c48c77898b14c0df7cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/cce55ca4e7a221d5eb2c0b757a868eacd6344e4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8acd9a0eaa8c9a28e385c0a6a56bb821cb549771"
        },
        {
          "url": "https://git.kernel.org/stable/c/433b99e922943efdfd62b9a8e3ad1604838181f2"
        }
      ],
      "title": "iio: light: as73211: Ensure buffer holes are zeroed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39687",
    "datePublished": "2025-09-05T17:20:54.154Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:14.761Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39689 (GCVE-0-2025-39689)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

ftrace: Also allocate and copy hash for reading of filter files

Summary

In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs. Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers.

Severity

No CVSS data available.

Assigner

Linux

References

12 references

URL	Tags
https://git.kernel.org/stable/c/12064e1880fc9202b…
https://git.kernel.org/stable/c/c4cd93811e038d19f…
https://git.kernel.org/stable/c/e0b6b223167e1edde…
https://git.kernel.org/stable/c/a40c69f4f1ed96acb…
https://git.kernel.org/stable/c/3b114a3282ab1a12c…
https://git.kernel.org/stable/c/c591ba1acd081d498…
https://git.kernel.org/stable/c/64db338140d2bad99…
https://git.kernel.org/stable/c/bfb336cf97df7b37b…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

6 products

Vendor	Product	Version
Linux	Linux	Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < 12064e1880fc9202be75ff668205b1703d92f74f (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < c4cd93811e038d19f961985735ef7bb128078dfb (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < e0b6b223167e1edde5c82edf38e393c06eda1f13 (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309 (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < 3b114a3282ab1a12cb4618a8f45db5d7185e784a (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < c591ba1acd081d4980713e47869dd1cc3d963d19 (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < 64db338140d2bad99a0a8c6a118dd60b3e1fb8cb (git) Affected: c20489dad156dd9919ebd854bbace46dbd2576a3 , < bfb336cf97df7b37b2b2edec0f69773e06d11955 (git)
Linux	Linux	Affected: 4.12 Unaffected: 0 , < 4.12 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)
Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)
Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	Affected: V3.1.5 , < * (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:22.147Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:16.080Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "12064e1880fc9202be75ff668205b1703d92f74f",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "c4cd93811e038d19f961985735ef7bb128078dfb",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "e0b6b223167e1edde5c82edf38e393c06eda1f13",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "3b114a3282ab1a12cb4618a8f45db5d7185e784a",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "c591ba1acd081d4980713e47869dd1cc3d963d19",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "64db338140d2bad99a0a8c6a118dd60b3e1fb8cb",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            },
            {
              "lessThan": "bfb336cf97df7b37b2b2edec0f69773e06d11955",
              "status": "affected",
              "version": "c20489dad156dd9919ebd854bbace46dbd2576a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Also allocate and copy hash for reading of filter files\n\nCurrently the reader of set_ftrace_filter and set_ftrace_notrace just adds\nthe pointer to the global tracer hash to its iterator. Unlike the writer\nthat allocates a copy of the hash, the reader keeps the pointer to the\nfilter hashes. This is problematic because this pointer is static across\nfunction calls that release the locks that can update the global tracer\nhashes. This can cause UAF and similar bugs.\n\nAllocate and copy the hash for reading the filter files like it is done\nfor the writers. This not only fixes UAF bugs, but also makes the code a\nbit simpler as it doesn\u0027t have to differentiate when to free the\niterator\u0027s hash between writers and readers."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:21.230Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/12064e1880fc9202be75ff668205b1703d92f74f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4cd93811e038d19f961985735ef7bb128078dfb"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0b6b223167e1edde5c82edf38e393c06eda1f13"
        },
        {
          "url": "https://git.kernel.org/stable/c/a40c69f4f1ed96acbcd62e9b5ff3a596f0a91309"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b114a3282ab1a12cb4618a8f45db5d7185e784a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c591ba1acd081d4980713e47869dd1cc3d963d19"
        },
        {
          "url": "https://git.kernel.org/stable/c/64db338140d2bad99a0a8c6a118dd60b3e1fb8cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfb336cf97df7b37b2b2edec0f69773e06d11955"
        }
      ],
      "title": "ftrace: Also allocate and copy hash for reading of filter files",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39689",
    "datePublished": "2025-09-05T17:20:55.270Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:16.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39691 (GCVE-0-2025-39691)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

fs/buffer: fix use-after-free when call bh_read() helper

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90 </IRQ> Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer wait_on_buffer(bh);--> return will return to caller put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun. If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch().

Severity

No CVSS data available.

Assigner

Linux

References

11 references

URL	Tags
https://git.kernel.org/stable/c/70a09115da586bf66…
https://git.kernel.org/stable/c/3169edb8945c295cf…
https://git.kernel.org/stable/c/03b40bf5d0389ca23…
https://git.kernel.org/stable/c/c58c6b532b7b69537…
https://git.kernel.org/stable/c/c5aa6ba1127307ab5…
https://git.kernel.org/stable/c/042cf48ecf67f72c8…
https://git.kernel.org/stable/c/90b5193edb323fefb…
https://git.kernel.org/stable/c/7375f22495e7cd1c5…
https://lists.debian.org/debian-lts-announce/2025…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 70a09115da586bf662c3bae9c0c4a1b99251fad9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3169edb8945c295cf89120fc6b2c35cfe3ad4c9e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 03b40bf5d0389ca23ae6857ee25789f0e0b47ce8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c5aa6ba1127307ab5dc3773eaf40d73a3423841f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 042cf48ecf67f72c8b3846c7fac678f472712ff3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 90b5193edb323fefbee0e4e5bc39ed89dcc37719 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49 (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:24.033Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:17.245Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "70a09115da586bf662c3bae9c0c4a1b99251fad9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3169edb8945c295cf89120fc6b2c35cfe3ad4c9e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "03b40bf5d0389ca23ae6857ee25789f0e0b47ce8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c5aa6ba1127307ab5dc3773eaf40d73a3423841f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "042cf48ecf67f72c8b3846c7fac678f472712ff3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "90b5193edb323fefbee0e4e5bc39ed89dcc37719",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/buffer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/buffer: fix use-after-free when call bh_read() helper\n\nThere\u0027s issue as follows:\nBUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110\nRead of size 8 at addr ffffc9000168f7f8 by task swapper/3/0\nCPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996)\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x55/0x70\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb4/0x270\n kasan_report+0xb8/0xf0\n end_buffer_read_sync+0xe3/0x110\n end_bio_bh_io_sync+0x56/0x80\n blk_update_request+0x30a/0x720\n scsi_end_request+0x51/0x2b0\n scsi_io_completion+0xe3/0x480\n ? scsi_device_unbusy+0x11e/0x160\n blk_complete_reqs+0x7b/0x90\n handle_softirqs+0xef/0x370\n irq_exit_rcu+0xa5/0xd0\n sysvec_apic_timer_interrupt+0x6e/0x90\n \u003c/IRQ\u003e\n\n Above issue happens when do ntfs3 filesystem mount, issue may happens\n as follows:\n           mount                            IRQ\nntfs_fill_super\n  read_cache_page\n    do_read_cache_folio\n      filemap_read_folio\n        mpage_read_folio\n\t do_mpage_readpage\n\t  ntfs_get_block_vbo\n\t   bh_read\n\t     submit_bh\n\t     wait_on_buffer(bh);\n\t                            blk_complete_reqs\n\t\t\t\t     scsi_io_completion\n\t\t\t\t      scsi_end_request\n\t\t\t\t       blk_update_request\n\t\t\t\t        end_bio_bh_io_sync\n\t\t\t\t\t end_buffer_read_sync\n\t\t\t\t\t  __end_buffer_read_notouch\n\t\t\t\t\t   unlock_buffer\n\n            wait_on_buffer(bh);--\u003e return will return to caller\n\n\t\t\t\t\t  put_bh\n\t\t\t\t\t    --\u003e trigger stack-out-of-bounds\nIn the mpage_read_folio() function, the stack variable \u0027map_bh\u0027 is\npassed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and\nwait_on_buffer() returns to continue processing, the stack variable\nis likely to be reclaimed. Consequently, during the end_buffer_read_sync()\nprocess, calling put_bh() may result in stack overrun.\n\nIf the bh is not allocated on the stack, it belongs to a folio.  Freeing\na buffer head which belongs to a folio is done by drop_buffers() which\nwill fail to free buffers which are still locked.  So it is safe to call\nput_bh() before __end_buffer_read_notouch()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:23.624Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/70a09115da586bf662c3bae9c0c4a1b99251fad9"
        },
        {
          "url": "https://git.kernel.org/stable/c/3169edb8945c295cf89120fc6b2c35cfe3ad4c9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/03b40bf5d0389ca23ae6857ee25789f0e0b47ce8"
        },
        {
          "url": "https://git.kernel.org/stable/c/c58c6b532b7b69537cfd9ef701c7e37cdcf79dc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5aa6ba1127307ab5dc3773eaf40d73a3423841f"
        },
        {
          "url": "https://git.kernel.org/stable/c/042cf48ecf67f72c8b3846c7fac678f472712ff3"
        },
        {
          "url": "https://git.kernel.org/stable/c/90b5193edb323fefbee0e4e5bc39ed89dcc37719"
        },
        {
          "url": "https://git.kernel.org/stable/c/7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49"
        }
      ],
      "title": "fs/buffer: fix use-after-free when call bh_read() helper",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39691",
    "datePublished": "2025-09-05T17:20:57.247Z",
    "dateReserved": "2025-04-16T07:20:57.113Z",
    "dateUpdated": "2026-05-12T12:06:17.245Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39692 (GCVE-0-2025-39692)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2026-05-12 12:06

Title

smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()! Otherwise already existing connections try to use smb_direct_wq as a NULL pointer.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/524e90e58a267dad1…
https://git.kernel.org/stable/c/212eb86f75b4d7b82…
https://git.kernel.org/stable/c/003e6a3150299f681…
https://git.kernel.org/stable/c/e41e3340051670242…
https://git.kernel.org/stable/c/bac7b996d42e458a9…
https://lists.debian.org/debian-lts-announce/2025…
https://cert-portal.siemens.com/productcert/html/…

Impacted products

3 products

Vendor	Product	Version
Linux	Linux	Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 524e90e58a267dad11e23351d9e4b1f941490976 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 212eb86f75b4d7b82f3d94aed95ba61103bccb93 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 003e6a3150299f681f34cb189aa068018cef6a45 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < e41e33400516702427603f8fbbec43c91ede09c0 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < bac7b996d42e458a94578f4227795a0d4deef6fa (git)
Linux	Linux	Affected: 5.15 Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.149 , ≤ 6.1.* (semver) Unaffected: 6.6.103 , ≤ 6.6.* (semver) Unaffected: 6.12.44 , ≤ 6.12.* (semver) Unaffected: 6.16.4 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix)
Siemens	SIMATIC CN 4100	Affected: 0 , < V5.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:42:24.966Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC CN 4100",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "V5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T12:06:18.465Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/connection.c",
            "fs/smb/server/transport_rdma.c",
            "fs/smb/server/transport_rdma.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "524e90e58a267dad11e23351d9e4b1f941490976",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "212eb86f75b4d7b82f3d94aed95ba61103bccb93",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "003e6a3150299f681f34cb189aa068018cef6a45",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "e41e33400516702427603f8fbbec43c91ede09c0",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "bac7b996d42e458a94578f4227795a0d4deef6fa",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/connection.c",
            "fs/smb/server/transport_rdma.c",
            "fs/smb/server/transport_rdma.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.149",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.103",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.44",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()\n\nWe can\u0027t call destroy_workqueue(smb_direct_wq); before stop_sessions()!\n\nOtherwise already existing connections try to use smb_direct_wq as\na NULL pointer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:34:24.815Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/524e90e58a267dad11e23351d9e4b1f941490976"
        },
        {
          "url": "https://git.kernel.org/stable/c/212eb86f75b4d7b82f3d94aed95ba61103bccb93"
        },
        {
          "url": "https://git.kernel.org/stable/c/003e6a3150299f681f34cb189aa068018cef6a45"
        },
        {
          "url": "https://git.kernel.org/stable/c/e41e33400516702427603f8fbbec43c91ede09c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/bac7b996d42e458a94578f4227795a0d4deef6fa"
        }
      ],
      "title": "smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39692",
    "datePublished": "2025-09-05T17:20:58.349Z",
    "dateReserved": "2025-04-16T07:20:57.114Z",
    "dateUpdated": "2026-05-12T12:06:18.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0825

Solutions

CVE-2025-39681 (GCVE-0-2025-39681)

CVE-2025-39682 (GCVE-0-2025-39682)

CVE-2025-39683 (GCVE-0-2025-39683)

CVE-2025-39684 (GCVE-0-2025-39684)

CVE-2025-39685 (GCVE-0-2025-39685)

CVE-2025-39686 (GCVE-0-2025-39686)

CVE-2025-39687 (GCVE-0-2025-39687)

CVE-2025-39689 (GCVE-0-2025-39689)

CVE-2025-39691 (GCVE-0-2025-39691)

CVE-2025-39692 (GCVE-0-2025-39692)

Tags

Sightings

Nomenclature