Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0892
Vulnerability from certfr_avis - Published: 2025-10-17 - Updated: 2025-10-17
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 25.04",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-22003",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22003"
},
{
"name": "CVE-2025-21975",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21975"
},
{
"name": "CVE-2025-21980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21980"
},
{
"name": "CVE-2025-21889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21889"
},
{
"name": "CVE-2025-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21937"
},
{
"name": "CVE-2025-22017",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22017"
},
{
"name": "CVE-2025-21881",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21881"
},
{
"name": "CVE-2025-21951",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21951"
},
{
"name": "CVE-2025-21941",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21941"
},
{
"name": "CVE-2025-21872",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21872"
},
{
"name": "CVE-2025-21922",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21922"
},
{
"name": "CVE-2025-21796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21796"
},
{
"name": "CVE-2024-49950",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49950"
},
{
"name": "CVE-2024-35849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35849"
},
{
"name": "CVE-2025-22009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22009"
},
{
"name": "CVE-2025-21904",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21904"
},
{
"name": "CVE-2025-22004",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22004"
},
{
"name": "CVE-2025-21929",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21929"
},
{
"name": "CVE-2025-38500",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38500"
},
{
"name": "CVE-2025-21977",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21977"
},
{
"name": "CVE-2025-21918",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21918"
},
{
"name": "CVE-2025-21948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21948"
},
{
"name": "CVE-2025-21914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21914"
},
{
"name": "CVE-2025-21995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21995"
},
{
"name": "CVE-2025-21915",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21915"
},
{
"name": "CVE-2024-58090",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58090"
},
{
"name": "CVE-2025-21972",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21972"
},
{
"name": "CVE-2025-21986",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21986"
},
{
"name": "CVE-2025-21961",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21961"
},
{
"name": "CVE-2024-57996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57996"
},
{
"name": "CVE-2025-21946",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21946"
},
{
"name": "CVE-2025-21982",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21982"
},
{
"name": "CVE-2025-21936",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21936"
},
{
"name": "CVE-2025-21909",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21909"
},
{
"name": "CVE-2025-21880",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21880"
},
{
"name": "CVE-2025-21959",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21959"
},
{
"name": "CVE-2025-37889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37889"
},
{
"name": "CVE-2025-21981",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21981"
},
{
"name": "CVE-2025-21910",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21910"
},
{
"name": "CVE-2025-22014",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22014"
},
{
"name": "CVE-2025-21911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21911"
},
{
"name": "CVE-2025-21996",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21996"
},
{
"name": "CVE-2025-37785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37785"
},
{
"name": "CVE-2025-21917",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21917"
},
{
"name": "CVE-2025-21957",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21957"
},
{
"name": "CVE-2025-21999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21999"
},
{
"name": "CVE-2025-21997",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21997"
},
{
"name": "CVE-2025-21992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21992"
},
{
"name": "CVE-2025-21978",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21978"
},
{
"name": "CVE-2025-21947",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21947"
},
{
"name": "CVE-2025-21913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21913"
},
{
"name": "CVE-2025-21966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21966"
},
{
"name": "CVE-2025-21970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21970"
},
{
"name": "CVE-2025-21890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21890"
},
{
"name": "CVE-2025-21916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21916"
},
{
"name": "CVE-2025-21925",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21925"
},
{
"name": "CVE-2025-21927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21927"
},
{
"name": "CVE-2025-21883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21883"
},
{
"name": "CVE-2025-21898",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21898"
},
{
"name": "CVE-2025-37797",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37797"
},
{
"name": "CVE-2025-21908",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21908"
},
{
"name": "CVE-2024-49924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49924"
},
{
"name": "CVE-2025-21895",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21895"
},
{
"name": "CVE-2025-22005",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22005"
},
{
"name": "CVE-2025-21935",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21935"
},
{
"name": "CVE-2025-21888",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21888"
},
{
"name": "CVE-2025-22010",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22010"
},
{
"name": "CVE-2025-21976",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21976"
},
{
"name": "CVE-2025-21950",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21950"
},
{
"name": "CVE-2025-22001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22001"
},
{
"name": "CVE-2025-21899",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21899"
},
{
"name": "CVE-2025-21994",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21994"
},
{
"name": "CVE-2025-21928",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21928"
},
{
"name": "CVE-2025-22007",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22007"
},
{
"name": "CVE-2025-21934",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21934"
},
{
"name": "CVE-2025-22011",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22011"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2025-38083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38083"
},
{
"name": "CVE-2025-21912",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21912"
},
{
"name": "CVE-2025-21903",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21903"
},
{
"name": "CVE-2025-21956",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21956"
},
{
"name": "CVE-2025-21885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21885"
},
{
"name": "CVE-2025-21877",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21877"
},
{
"name": "CVE-2025-38244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38244"
},
{
"name": "CVE-2025-21878",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21878"
},
{
"name": "CVE-2025-37752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37752"
},
{
"name": "CVE-2025-21873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21873"
},
{
"name": "CVE-2025-38477",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38477"
},
{
"name": "CVE-2025-38683",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38683"
},
{
"name": "CVE-2025-21926",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21926"
},
{
"name": "CVE-2025-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21930"
},
{
"name": "CVE-2025-21892",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21892"
},
{
"name": "CVE-2025-21944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21944"
},
{
"name": "CVE-2025-21905",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21905"
},
{
"name": "CVE-2024-38541",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38541"
},
{
"name": "CVE-2025-21920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21920"
},
{
"name": "CVE-2025-22016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22016"
},
{
"name": "CVE-2025-37756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37756"
},
{
"name": "CVE-2025-21955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21955"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2025-21891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21891"
},
{
"name": "CVE-2025-22013",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22013"
},
{
"name": "CVE-2025-21979",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21979"
},
{
"name": "CVE-2025-21963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21963"
},
{
"name": "CVE-2025-38350",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38350"
},
{
"name": "CVE-2025-21960",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21960"
},
{
"name": "CVE-2025-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21967"
},
{
"name": "CVE-2024-50073",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50073"
},
{
"name": "CVE-2025-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21945"
},
{
"name": "CVE-2025-22008",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22008"
},
{
"name": "CVE-2025-21969",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21969"
},
{
"name": "CVE-2025-21894",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21894"
},
{
"name": "CVE-2025-21919",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21919"
},
{
"name": "CVE-2023-52757",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52757"
},
{
"name": "CVE-2023-52975",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52975"
},
{
"name": "CVE-2025-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21968"
},
{
"name": "CVE-2025-21991",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21991"
},
{
"name": "CVE-2025-21875",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21875"
},
{
"name": "CVE-2025-22015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22015"
},
{
"name": "CVE-2025-21962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21962"
},
{
"name": "CVE-2025-21924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21924"
},
{
"name": "CVE-2025-21964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21964"
}
],
"initial_release_date": "2025-10-17T00:00:00",
"last_revision_date": "2025-10-17T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0892",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7820-1",
"url": "https://ubuntu.com/security/notices/USN-7820-1"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7819-1",
"url": "https://ubuntu.com/security/notices/USN-7819-1"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7821-1",
"url": "https://ubuntu.com/security/notices/USN-7821-1"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7801-3",
"url": "https://ubuntu.com/security/notices/USN-7801-3"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7810-2",
"url": "https://ubuntu.com/security/notices/USN-7810-2"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7810-3",
"url": "https://ubuntu.com/security/notices/USN-7810-3"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7796-4",
"url": "https://ubuntu.com/security/notices/USN-7796-4"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7808-2",
"url": "https://ubuntu.com/security/notices/USN-7808-2"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7791-4",
"url": "https://ubuntu.com/security/notices/USN-7791-4"
}
]
}
CVE-2025-21947 (GCVE-0-2025-21947)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
ksmbd: fix type confusion via race condition when using ipc_msg_send_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix type confusion via race condition when using ipc_msg_send_request
req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on
ida_alloc. req->handle from ksmbd_ipc_login_request and
FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion
between messages, resulting in access to unexpected parts of memory after
an incorrect delivery. ksmbd check type of ipc response but missing add
continue to check next ipc reponse.
Severity
8.1 (High)
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < 6321bbda4244b93802d61cfe0887883aae322f4b
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 76861630b29e51373e73e7b00ad0d467b6941162 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 3cb2b2e41541fe6f9cc55ca22d4c0bd260498aea (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 1e8833c03a38e1d5d5df6484e3f670a2fd38fb76 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.131 , ≤ 6.1.* (semver) Unaffected: 6.6.83 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:17:27.196137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:17:30.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:47.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6321bbda4244b93802d61cfe0887883aae322f4b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "76861630b29e51373e73e7b00ad0d467b6941162",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "3cb2b2e41541fe6f9cc55ca22d4c0bd260498aea",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "1e8833c03a38e1d5d5df6484e3f670a2fd38fb76",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix type confusion via race condition when using ipc_msg_send_request\n\nreq-\u003ehandle is allocated using ksmbd_acquire_id(\u0026ipc_ida), based on\nida_alloc. req-\u003ehandle from ksmbd_ipc_login_request and\nFSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion\nbetween messages, resulting in access to unexpected parts of memory after\nan incorrect delivery. ksmbd check type of ipc response but missing add\ncontinue to check next ipc reponse."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:37.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6321bbda4244b93802d61cfe0887883aae322f4b"
},
{
"url": "https://git.kernel.org/stable/c/76861630b29e51373e73e7b00ad0d467b6941162"
},
{
"url": "https://git.kernel.org/stable/c/3cb2b2e41541fe6f9cc55ca22d4c0bd260498aea"
},
{
"url": "https://git.kernel.org/stable/c/1e8833c03a38e1d5d5df6484e3f670a2fd38fb76"
},
{
"url": "https://git.kernel.org/stable/c/e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2"
}
],
"title": "ksmbd: fix type confusion via race condition when using ipc_msg_send_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21947",
"datePublished": "2025-04-01T15:41:09.457Z",
"dateReserved": "2024-12-29T08:45:45.790Z",
"dateUpdated": "2026-05-11T21:09:37.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21948 (GCVE-0-2025-21948)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
HID: appleir: Fix potential NULL dereference at raw event handle
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: appleir: Fix potential NULL dereference at raw event handle
Syzkaller reports a NULL pointer dereference issue in input_event().
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]
BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395
Read of size 8 at addr 0000000000000028 by task syz-executor199/2949
CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
kasan_report+0xd9/0x110 mm/kasan/report.c:602
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
is_event_supported drivers/input/input.c:67 [inline]
input_event+0x42/0xa0 drivers/input/input.c:395
input_report_key include/linux/input.h:439 [inline]
key_down drivers/hid/hid-appleir.c:159 [inline]
appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232
__hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111
hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484
__usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993
__run_hrtimer kernel/time/hrtimer.c:1739 [inline]
__hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820
handle_softirqs+0x206/0x8d0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662
irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
__mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185
add_timer+0x62/0x90 kernel/time/timer.c:1295
schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98
usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645
usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784
hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
This happens due to the malformed report items sent by the emulated device
which results in a report, that has no fields, being added to the report list.
Due to this appleir_input_configured() is never called, hidinput_connect()
fails which results in the HID_CLAIMED_INPUT flag is not being set. However,
it does not make appleir_probe() fail and lets the event callback to be
called without the associated input device.
Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook
early if the driver didn't claim any input_dev for some reason. Moreover,
some other hid drivers accessing input_dev in their event callbacks do have
similar checks, too.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 6db423b00940b05df2a1265d3c7eabafe9f1734c
(git)
Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 0df1ac8ee417ad76760ff076faa4518a4d861894 (git) Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < b1d95d733cd6e74f595653daddcfc357bea461e8 (git) Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee (git) Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < fc69e2c3219d433caabba4b5d6371ba726a4b37f (git) Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < d335fce8b88b2353f4bb20c631698e20384e3610 (git) Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 68cdf6710f228dfd74f66ec61fbe636da2646a73 (git) Affected: 9a4a5574ce427c364d81746fc7fb82d86b5f1a7e , < 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 (git) |
|
| Linux | Linux |
Affected:
3.10
Unaffected: 0 , < 3.10 (semver) Unaffected: 5.4.291 , ≤ 5.4.* (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.131 , ≤ 6.1.* (semver) Unaffected: 6.6.83 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:17:14.096468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:17:18.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:50.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-appleir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6db423b00940b05df2a1265d3c7eabafe9f1734c",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "0df1ac8ee417ad76760ff076faa4518a4d861894",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "b1d95d733cd6e74f595653daddcfc357bea461e8",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "fc69e2c3219d433caabba4b5d6371ba726a4b37f",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "d335fce8b88b2353f4bb20c631698e20384e3610",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "68cdf6710f228dfd74f66ec61fbe636da2646a73",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
},
{
"lessThan": "2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1",
"status": "affected",
"version": "9a4a5574ce427c364d81746fc7fb82d86b5f1a7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-appleir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appleir: Fix potential NULL dereference at raw event handle\n\nSyzkaller reports a NULL pointer dereference issue in input_event().\n\nBUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]\nBUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\nBUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]\nBUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395\nRead of size 8 at addr 0000000000000028 by task syz-executor199/2949\n\nCPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189\n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]\n is_event_supported drivers/input/input.c:67 [inline]\n input_event+0x42/0xa0 drivers/input/input.c:395\n input_report_key include/linux/input.h:439 [inline]\n key_down drivers/hid/hid-appleir.c:159 [inline]\n appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232\n __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111\n hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484\n __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650\n usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734\n dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993\n __run_hrtimer kernel/time/hrtimer.c:1739 [inline]\n __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803\n hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820\n handle_softirqs+0x206/0x8d0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185\n add_timer+0x62/0x90 kernel/time/timer.c:1295\n schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98\n usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645\n usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784\n hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nThis happens due to the malformed report items sent by the emulated device\nwhich results in a report, that has no fields, being added to the report list.\nDue to this appleir_input_configured() is never called, hidinput_connect()\nfails which results in the HID_CLAIMED_INPUT flag is not being set. However,\nit does not make appleir_probe() fail and lets the event callback to be\ncalled without the associated input device.\n\nThus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook\nearly if the driver didn\u0027t claim any input_dev for some reason. Moreover,\nsome other hid drivers accessing input_dev in their event callbacks do have\nsimilar checks, too.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:38.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6db423b00940b05df2a1265d3c7eabafe9f1734c"
},
{
"url": "https://git.kernel.org/stable/c/0df1ac8ee417ad76760ff076faa4518a4d861894"
},
{
"url": "https://git.kernel.org/stable/c/b1d95d733cd6e74f595653daddcfc357bea461e8"
},
{
"url": "https://git.kernel.org/stable/c/8d39eb8c5e14f2f0f441eed832ef8a7b654e6fee"
},
{
"url": "https://git.kernel.org/stable/c/fc69e2c3219d433caabba4b5d6371ba726a4b37f"
},
{
"url": "https://git.kernel.org/stable/c/d335fce8b88b2353f4bb20c631698e20384e3610"
},
{
"url": "https://git.kernel.org/stable/c/68cdf6710f228dfd74f66ec61fbe636da2646a73"
},
{
"url": "https://git.kernel.org/stable/c/2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1"
}
],
"title": "HID: appleir: Fix potential NULL dereference at raw event handle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21948",
"datePublished": "2025-04-01T15:41:09.949Z",
"dateReserved": "2024-12-29T08:45:45.790Z",
"dateUpdated": "2026-05-11T21:09:38.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21950 (GCVE-0-2025-21950)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
In the "pmcmd_ioctl" function, three memory objects allocated by
kmalloc are initialized by "hcall_get_cpu_state", which are then
copied to user space. The initializer is indeed implemented in
"acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of
information leakage due to uninitialized bytes.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3d679d5aec648f50e645702929890b9611998a0b , < 4e15cf870d2c748e45d45ffc4d5b1dc1b7d50120
(git)
Affected: 3d679d5aec648f50e645702929890b9611998a0b , < 524f29d78c9bdeb49f31f5b0376a07d2fc5cf563 (git) Affected: 3d679d5aec648f50e645702929890b9611998a0b , < d7e5031fe3f161c8eb5e84db1540bc4373ed861b (git) Affected: 3d679d5aec648f50e645702929890b9611998a0b , < 1b8f7a2caa7f9cdfd135e3f78eb9d7e36fb95083 (git) Affected: 3d679d5aec648f50e645702929890b9611998a0b , < a4c21b878f0e237f45209a324c903ea7fb05247d (git) Affected: 3d679d5aec648f50e645702929890b9611998a0b , < 819cec1dc47cdeac8f5dd6ba81c1dbee2a68c3bb (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.131 , ≤ 6.1.* (semver) Unaffected: 6.6.83 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:51.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virt/acrn/hsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e15cf870d2c748e45d45ffc4d5b1dc1b7d50120",
"status": "affected",
"version": "3d679d5aec648f50e645702929890b9611998a0b",
"versionType": "git"
},
{
"lessThan": "524f29d78c9bdeb49f31f5b0376a07d2fc5cf563",
"status": "affected",
"version": "3d679d5aec648f50e645702929890b9611998a0b",
"versionType": "git"
},
{
"lessThan": "d7e5031fe3f161c8eb5e84db1540bc4373ed861b",
"status": "affected",
"version": "3d679d5aec648f50e645702929890b9611998a0b",
"versionType": "git"
},
{
"lessThan": "1b8f7a2caa7f9cdfd135e3f78eb9d7e36fb95083",
"status": "affected",
"version": "3d679d5aec648f50e645702929890b9611998a0b",
"versionType": "git"
},
{
"lessThan": "a4c21b878f0e237f45209a324c903ea7fb05247d",
"status": "affected",
"version": "3d679d5aec648f50e645702929890b9611998a0b",
"versionType": "git"
},
{
"lessThan": "819cec1dc47cdeac8f5dd6ba81c1dbee2a68c3bb",
"status": "affected",
"version": "3d679d5aec648f50e645702929890b9611998a0b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virt/acrn/hsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl\n\nIn the \"pmcmd_ioctl\" function, three memory objects allocated by\nkmalloc are initialized by \"hcall_get_cpu_state\", which are then\ncopied to user space. The initializer is indeed implemented in\n\"acrn_hypercall2\" (arch/x86/include/asm/acrn.h). There is a risk of\ninformation leakage due to uninitialized bytes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:40.823Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e15cf870d2c748e45d45ffc4d5b1dc1b7d50120"
},
{
"url": "https://git.kernel.org/stable/c/524f29d78c9bdeb49f31f5b0376a07d2fc5cf563"
},
{
"url": "https://git.kernel.org/stable/c/d7e5031fe3f161c8eb5e84db1540bc4373ed861b"
},
{
"url": "https://git.kernel.org/stable/c/1b8f7a2caa7f9cdfd135e3f78eb9d7e36fb95083"
},
{
"url": "https://git.kernel.org/stable/c/a4c21b878f0e237f45209a324c903ea7fb05247d"
},
{
"url": "https://git.kernel.org/stable/c/819cec1dc47cdeac8f5dd6ba81c1dbee2a68c3bb"
}
],
"title": "drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21950",
"datePublished": "2025-04-01T15:41:10.949Z",
"dateReserved": "2024-12-29T08:45:45.790Z",
"dateUpdated": "2026-05-11T21:09:40.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21951 (GCVE-0-2025-21951)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
There are multiple places from where the recovery work gets scheduled
asynchronously. Also, there are multiple places where the caller waits
synchronously for the recovery to be completed. One such place is during
the PM shutdown() callback.
If the device is not alive during recovery_work, it will try to reset the
device using pci_reset_function(). This function internally will take the
device_lock() first before resetting the device. By this time, if the lock
has already been acquired, then recovery_work will get stalled while
waiting for the lock. And if the lock was already acquired by the caller
which waits for the recovery_work to be completed, it will lead to
deadlock.
This is what happened on the X1E80100 CRD device when the device died
before shutdown() callback. Driver core calls the driver's shutdown()
callback while holding the device_lock() leading to deadlock.
And this deadlock scenario can occur on other paths as well, like during
the PM suspend() callback, where the driver core would hold the
device_lock() before calling driver's suspend() callback. And if the
recovery_work was already started, it could lead to deadlock. This is also
observed on the X1E80100 CRD.
So to fix both issues, use pci_try_reset_function() in recovery_work. This
function first checks for the availability of the device_lock() before
trying to reset the device. If the lock is available, it will acquire it
and reset the device. Otherwise, it will return -EAGAIN. If that happens,
recovery_work will fail with the error message "Recovery failed" as not
much could be done.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-667 - Improper Locking
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 7746f3bb8917fccb4571a576f3837d80fc513054
(git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 7a5ffadd54fe2662f5c99cdccf30144d060376f7 (git) Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95 (git) Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 985d3cf56d8745ca637deee273929e01df449f85 (git) Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 62505657475c245c9cd46e42ac01026d1e61f027 (git) Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < a321d163de3d8aa38a6449ab2becf4b1581aed96 (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.131 , ≤ 6.1.* (semver) Unaffected: 6.6.83 , ≤ 6.6.* (semver) Unaffected: 6.12.19 , ≤ 6.12.* (semver) Unaffected: 6.13.7 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21951",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:16:49.794913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-667",
"description": "CWE-667 Improper Locking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:16:52.646Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:52.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/pci_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7746f3bb8917fccb4571a576f3837d80fc513054",
"status": "affected",
"version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
"versionType": "git"
},
{
"lessThan": "7a5ffadd54fe2662f5c99cdccf30144d060376f7",
"status": "affected",
"version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
"versionType": "git"
},
{
"lessThan": "1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95",
"status": "affected",
"version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
"versionType": "git"
},
{
"lessThan": "985d3cf56d8745ca637deee273929e01df449f85",
"status": "affected",
"version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
"versionType": "git"
},
{
"lessThan": "62505657475c245c9cd46e42ac01026d1e61f027",
"status": "affected",
"version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
"versionType": "git"
},
{
"lessThan": "a321d163de3d8aa38a6449ab2becf4b1581aed96",
"status": "affected",
"version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bus/mhi/host/pci_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.131",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.7",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock\n\nThere are multiple places from where the recovery work gets scheduled\nasynchronously. Also, there are multiple places where the caller waits\nsynchronously for the recovery to be completed. One such place is during\nthe PM shutdown() callback.\n\nIf the device is not alive during recovery_work, it will try to reset the\ndevice using pci_reset_function(). This function internally will take the\ndevice_lock() first before resetting the device. By this time, if the lock\nhas already been acquired, then recovery_work will get stalled while\nwaiting for the lock. And if the lock was already acquired by the caller\nwhich waits for the recovery_work to be completed, it will lead to\ndeadlock.\n\nThis is what happened on the X1E80100 CRD device when the device died\nbefore shutdown() callback. Driver core calls the driver\u0027s shutdown()\ncallback while holding the device_lock() leading to deadlock.\n\nAnd this deadlock scenario can occur on other paths as well, like during\nthe PM suspend() callback, where the driver core would hold the\ndevice_lock() before calling driver\u0027s suspend() callback. And if the\nrecovery_work was already started, it could lead to deadlock. This is also\nobserved on the X1E80100 CRD.\n\nSo to fix both issues, use pci_try_reset_function() in recovery_work. This\nfunction first checks for the availability of the device_lock() before\ntrying to reset the device. If the lock is available, it will acquire it\nand reset the device. Otherwise, it will return -EAGAIN. If that happens,\nrecovery_work will fail with the error message \"Recovery failed\" as not\nmuch could be done."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:41.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7746f3bb8917fccb4571a576f3837d80fc513054"
},
{
"url": "https://git.kernel.org/stable/c/7a5ffadd54fe2662f5c99cdccf30144d060376f7"
},
{
"url": "https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95"
},
{
"url": "https://git.kernel.org/stable/c/985d3cf56d8745ca637deee273929e01df449f85"
},
{
"url": "https://git.kernel.org/stable/c/62505657475c245c9cd46e42ac01026d1e61f027"
},
{
"url": "https://git.kernel.org/stable/c/a321d163de3d8aa38a6449ab2becf4b1581aed96"
}
],
"title": "bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21951",
"datePublished": "2025-04-01T15:41:11.487Z",
"dateReserved": "2024-12-29T08:45:45.790Z",
"dateUpdated": "2026-05-11T21:09:41.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21955 (GCVE-0-2025-21955)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
ksmbd: prevent connection release during oplock break notification
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: prevent connection release during oplock break notification
ksmbd_work could be freed when after connection release.
Increment r_count of ksmbd_conn to indicate that requests
are not finished yet and to not release the connection.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < 09aeab68033161cb54f194da93e51a11aee6144b
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a4261bbc33fbf99b99c80aa3a2c5097611802980 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < f17d1c63a76b0fe8e9c78023a86507a3a6d62cfa (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 3aa660c059240e0c795217182cf7df32909dd917 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.6.84 , ≤ 6.6.* (semver) Unaffected: 6.12.20 , ≤ 6.12.* (semver) Unaffected: 6.13.8 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/connection.c",
"fs/smb/server/connection.h",
"fs/smb/server/oplock.c",
"fs/smb/server/server.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09aeab68033161cb54f194da93e51a11aee6144b",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "a4261bbc33fbf99b99c80aa3a2c5097611802980",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "f17d1c63a76b0fe8e9c78023a86507a3a6d62cfa",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "3aa660c059240e0c795217182cf7df32909dd917",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/connection.c",
"fs/smb/server/connection.h",
"fs/smb/server/oplock.c",
"fs/smb/server/server.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: prevent connection release during oplock break notification\n\nksmbd_work could be freed when after connection release.\nIncrement r_count of ksmbd_conn to indicate that requests\nare not finished yet and to not release the connection."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:46.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09aeab68033161cb54f194da93e51a11aee6144b"
},
{
"url": "https://git.kernel.org/stable/c/a4261bbc33fbf99b99c80aa3a2c5097611802980"
},
{
"url": "https://git.kernel.org/stable/c/f17d1c63a76b0fe8e9c78023a86507a3a6d62cfa"
},
{
"url": "https://git.kernel.org/stable/c/3aa660c059240e0c795217182cf7df32909dd917"
}
],
"title": "ksmbd: prevent connection release during oplock break notification",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21955",
"datePublished": "2025-04-01T15:46:55.724Z",
"dateReserved": "2024-12-29T08:45:45.790Z",
"dateUpdated": "2026-05-11T21:09:46.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21956 (GCVE-0-2025-21956)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
drm/amd/display: Assign normalized_pix_clk when color depth = 14
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Assign normalized_pix_clk when color depth = 14
[WHY & HOW]
A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397
calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the
display_color_depth == COLOR_DEPTH_141414 is not handled. This is
observed in Radeon RX 6600 XT.
It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.
Also fixes the indentation in get_norm_pix_clk.
(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < cca3ab74f90176099b6392e8e894b52b27b3d080
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0174a2e5770efee9dbd4b58963ed4d939298ff5e (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0c0016712e5dc23ce4a7e673cbebc24a535d8c8a (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < dc831b38680c47d07e425871a9852109183895cf (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < a8f77e1658d78e4a8bb227a83bcee67de97f7634 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 04f90b505ad3a6eed474bbaa03167095fef5203a (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 27df30106690969f7d63604f0d49ed8e9bffa2cb (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 79e31396fdd7037c503e6add15af7cb00633ea92 (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.132 , ≤ 6.1.* (semver) Unaffected: 6.6.84 , ≤ 6.6.* (semver) Unaffected: 6.12.20 , ≤ 6.12.* (semver) Unaffected: 6.13.8 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:55.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cca3ab74f90176099b6392e8e894b52b27b3d080",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "0174a2e5770efee9dbd4b58963ed4d939298ff5e",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "0c0016712e5dc23ce4a7e673cbebc24a535d8c8a",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "dc831b38680c47d07e425871a9852109183895cf",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "a8f77e1658d78e4a8bb227a83bcee67de97f7634",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "04f90b505ad3a6eed474bbaa03167095fef5203a",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "27df30106690969f7d63604f0d49ed8e9bffa2cb",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "79e31396fdd7037c503e6add15af7cb00633ea92",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign normalized_pix_clk when color depth = 14\n\n[WHY \u0026 HOW]\nA warning message \"WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397\ncalculate_phy_pix_clks+0xef/0x100 [amdgpu]\" occurs because the\ndisplay_color_depth == COLOR_DEPTH_141414 is not handled. This is\nobserved in Radeon RX 6600 XT.\n\nIt is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.\n\nAlso fixes the indentation in get_norm_pix_clk.\n\n(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:47.764Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cca3ab74f90176099b6392e8e894b52b27b3d080"
},
{
"url": "https://git.kernel.org/stable/c/0174a2e5770efee9dbd4b58963ed4d939298ff5e"
},
{
"url": "https://git.kernel.org/stable/c/0c0016712e5dc23ce4a7e673cbebc24a535d8c8a"
},
{
"url": "https://git.kernel.org/stable/c/dc831b38680c47d07e425871a9852109183895cf"
},
{
"url": "https://git.kernel.org/stable/c/a8f77e1658d78e4a8bb227a83bcee67de97f7634"
},
{
"url": "https://git.kernel.org/stable/c/04f90b505ad3a6eed474bbaa03167095fef5203a"
},
{
"url": "https://git.kernel.org/stable/c/27df30106690969f7d63604f0d49ed8e9bffa2cb"
},
{
"url": "https://git.kernel.org/stable/c/79e31396fdd7037c503e6add15af7cb00633ea92"
}
],
"title": "drm/amd/display: Assign normalized_pix_clk when color depth = 14",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21956",
"datePublished": "2025-04-01T15:46:56.219Z",
"dateReserved": "2024-12-29T08:45:45.790Z",
"dateUpdated": "2026-05-11T21:09:47.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21957 (GCVE-0-2025-21957)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
scsi: qla1280: Fix kernel oops when debug level > 2
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla1280: Fix kernel oops when debug level > 2
A null dereference or oops exception will eventually occur when qla1280.c
driver is compiled with DEBUG_QLA1280 enabled and ql_debug_level > 2. I
think its clear from the code that the intention here is sg_dma_len(s) not
length of sg_next(s) when printing the debug info.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a0441891373fe2db582075a4639fdfcccea470c1 , < afa27b7c17a48e01546ccaad0ab017ad0496a522
(git)
Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < 11a8dac1177a596648a020a7f3708257a2f95fee (git) Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < c737e2a5fb7f90b96a96121da1b50a9c74ae9b8c (git) Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < 24602e2664c515a4f2950d7b52c3d5997463418c (git) Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < ea371d1cdefb0951c7127a33bcd7eb931cf44571 (git) Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < af71ba921d08c241a817010f96458dc5e5e26762 (git) Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < 7ac2473e727d67a38266b2b7e55c752402ab588c (git) Affected: a0441891373fe2db582075a4639fdfcccea470c1 , < 5233e3235dec3065ccc632729675575dbe3c6b8a (git) |
|
| Linux | Linux |
Affected:
2.6.24
Unaffected: 0 , < 2.6.24 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.132 , ≤ 6.1.* (semver) Unaffected: 6.6.84 , ≤ 6.6.* (semver) Unaffected: 6.12.20 , ≤ 6.12.* (semver) Unaffected: 6.13.8 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:16:08.787043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:16:27.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:39:58.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla1280.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afa27b7c17a48e01546ccaad0ab017ad0496a522",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "11a8dac1177a596648a020a7f3708257a2f95fee",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "c737e2a5fb7f90b96a96121da1b50a9c74ae9b8c",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "24602e2664c515a4f2950d7b52c3d5997463418c",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "ea371d1cdefb0951c7127a33bcd7eb931cf44571",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "af71ba921d08c241a817010f96458dc5e5e26762",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "7ac2473e727d67a38266b2b7e55c752402ab588c",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
},
{
"lessThan": "5233e3235dec3065ccc632729675575dbe3c6b8a",
"status": "affected",
"version": "a0441891373fe2db582075a4639fdfcccea470c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla1280.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla1280: Fix kernel oops when debug level \u003e 2\n\nA null dereference or oops exception will eventually occur when qla1280.c\ndriver is compiled with DEBUG_QLA1280 enabled and ql_debug_level \u003e 2. I\nthink its clear from the code that the intention here is sg_dma_len(s) not\nlength of sg_next(s) when printing the debug info."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:49.013Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afa27b7c17a48e01546ccaad0ab017ad0496a522"
},
{
"url": "https://git.kernel.org/stable/c/11a8dac1177a596648a020a7f3708257a2f95fee"
},
{
"url": "https://git.kernel.org/stable/c/c737e2a5fb7f90b96a96121da1b50a9c74ae9b8c"
},
{
"url": "https://git.kernel.org/stable/c/24602e2664c515a4f2950d7b52c3d5997463418c"
},
{
"url": "https://git.kernel.org/stable/c/ea371d1cdefb0951c7127a33bcd7eb931cf44571"
},
{
"url": "https://git.kernel.org/stable/c/af71ba921d08c241a817010f96458dc5e5e26762"
},
{
"url": "https://git.kernel.org/stable/c/7ac2473e727d67a38266b2b7e55c752402ab588c"
},
{
"url": "https://git.kernel.org/stable/c/5233e3235dec3065ccc632729675575dbe3c6b8a"
}
],
"title": "scsi: qla1280: Fix kernel oops when debug level \u003e 2",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21957",
"datePublished": "2025-04-01T15:46:56.733Z",
"dateReserved": "2024-12-29T08:45:45.791Z",
"dateUpdated": "2026-05-11T21:09:49.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21959 (GCVE-0-2025-21959)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2026-05-23 15:57
VLAI
EPSS
Title
netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()
Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage
collection confirm race"), `cpu` and `jiffies32` were introduced to
the struct nf_conncount_tuple.
The commit made nf_conncount_add() initialize `conn->cpu` and
`conn->jiffies32` when allocating the struct.
In contrast, count_tree() was not changed to initialize them.
By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and
traversal"), count_tree() was split and the relevant allocation
code now resides in insert_tree().
Initialize `conn->cpu` and `conn->jiffies32` in insert_tree().
BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]
BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
find_or_evict net/netfilter/nf_conncount.c:117 [inline]
__nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143
count_tree net/netfilter/nf_conncount.c:438 [inline]
nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521
connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
__nft_match_eval net/netfilter/nft_compat.c:403 [inline]
nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669
__netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]
__netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983
__netif_receive_skb_list net/core/dev.c:6035 [inline]
netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126
netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178
xdp_recv_frames net/bpf/test_run.c:280 [inline]
xdp_test_run_batch net/bpf/test_run.c:361 [inline]
bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390
bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316
bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407
__sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813
__do_sys_bpf kernel/bpf/syscall.c:5902 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5900 [inline]
__ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900
ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387
do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4121 [inline]
slab_alloc_node mm/slub.c:4164 [inline]
kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171
insert_tree net/netfilter/nf_conncount.c:372 [inline]
count_tree net/netfilter/nf_conncount.c:450 [inline]
nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521
connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72
__nft_match_eval net/netfilter/nft_compat.c:403 [inline]
nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288
nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663
NF_HOOK_LIST include/linux/netfilter.h:350 [inline]
ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633
ip_list_rcv+0x9ef/0xa40 net/ip
---truncated---
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-908 - Use of Uninitialized Resource
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < f522229c5563b59b4240261e406779bba6754159
(git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < 2a154ce766b995494e88d8d117fa82cc6b73dd87 (git) Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < e8544a5a97bee3674e7cd6bf0f3a4af517fa9146 (git) Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < a62a25c6ad58fae997f48a0749afeda1c252ae51 (git) Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < fda50302a13701d47fbe01e1739c7a51114144fb (git) Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < db1e0c0856821c59a32ea3af79476bf20a6beeb2 (git) Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < 2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc (git) Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < d653bfeb07ebb3499c403404c21ac58a16531607 (git) Affected: 75af3d78168e654a5cd8bbc4c774f97be836165f (git) Affected: 4.14.92 , < 4.15 (semver) |
|
| Linux | Linux |
Affected:
4.18
Unaffected: 0 , < 4.18 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.132 , ≤ 6.1.* (semver) Unaffected: 6.6.84 , ≤ 6.6.* (semver) Unaffected: 6.12.20 , ≤ 6.12.* (semver) Unaffected: 6.13.8 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21959",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:15:56.023953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of Uninitialized Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:15:58.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:40:01.234Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f522229c5563b59b4240261e406779bba6754159",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "2a154ce766b995494e88d8d117fa82cc6b73dd87",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "e8544a5a97bee3674e7cd6bf0f3a4af517fa9146",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "a62a25c6ad58fae997f48a0749afeda1c252ae51",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "fda50302a13701d47fbe01e1739c7a51114144fb",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "db1e0c0856821c59a32ea3af79476bf20a6beeb2",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"lessThan": "d653bfeb07ebb3499c403404c21ac58a16531607",
"status": "affected",
"version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
"versionType": "git"
},
{
"status": "affected",
"version": "75af3d78168e654a5cd8bbc4c774f97be836165f",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.92",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conncount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()\n\nSince commit b36e4523d4d5 (\"netfilter: nf_conncount: fix garbage\ncollection confirm race\"), `cpu` and `jiffies32` were introduced to\nthe struct nf_conncount_tuple.\n\nThe commit made nf_conncount_add() initialize `conn-\u003ecpu` and\n`conn-\u003ejiffies32` when allocating the struct.\nIn contrast, count_tree() was not changed to initialize them.\n\nBy commit 34848d5c896e (\"netfilter: nf_conncount: Split insert and\ntraversal\"), count_tree() was split and the relevant allocation\ncode now resides in insert_tree().\nInitialize `conn-\u003ecpu` and `conn-\u003ejiffies32` in insert_tree().\n\nBUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]\nBUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n find_or_evict net/netfilter/nf_conncount.c:117 [inline]\n __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n count_tree net/netfilter/nf_conncount.c:438 [inline]\n nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669\n __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]\n __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983\n __netif_receive_skb_list net/core/dev.c:6035 [inline]\n netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126\n netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178\n xdp_recv_frames net/bpf/test_run.c:280 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316\n bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813\n __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]\n __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900\n ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4121 [inline]\n slab_alloc_node mm/slub.c:4164 [inline]\n kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171\n insert_tree net/netfilter/nf_conncount.c:372 [inline]\n count_tree net/netfilter/nf_conncount.c:450 [inline]\n nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ip\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:29.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f522229c5563b59b4240261e406779bba6754159"
},
{
"url": "https://git.kernel.org/stable/c/2a154ce766b995494e88d8d117fa82cc6b73dd87"
},
{
"url": "https://git.kernel.org/stable/c/e8544a5a97bee3674e7cd6bf0f3a4af517fa9146"
},
{
"url": "https://git.kernel.org/stable/c/a62a25c6ad58fae997f48a0749afeda1c252ae51"
},
{
"url": "https://git.kernel.org/stable/c/fda50302a13701d47fbe01e1739c7a51114144fb"
},
{
"url": "https://git.kernel.org/stable/c/db1e0c0856821c59a32ea3af79476bf20a6beeb2"
},
{
"url": "https://git.kernel.org/stable/c/2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc"
},
{
"url": "https://git.kernel.org/stable/c/d653bfeb07ebb3499c403404c21ac58a16531607"
}
],
"title": "netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21959",
"datePublished": "2025-04-01T15:46:57.775Z",
"dateReserved": "2024-12-29T08:45:45.793Z",
"dateUpdated": "2026-05-23T15:57:29.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21960 (GCVE-0-2025-21960)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload
is enabled.
When the XDP-MB program is attached and it returns XDP_PASS, the
bnxt_xdp_build_skb() is called to update skb_shared_info.
The main purpose of bnxt_xdp_build_skb() is to update skb_shared_info,
but it updates ip_summed value too if checksum offload is enabled.
This is actually duplicate work.
When the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed
is CHECKSUM_NONE or not.
It means that ip_summed should be CHECKSUM_NONE at this moment.
But ip_summed may already be updated to CHECKSUM_UNNECESSARY in the
XDP-MB-PASS path.
So the by skb_checksum_none_assert() WARNS about it.
This is duplicate work and updating ip_summed in the
bnxt_xdp_build_skb() is not needed.
Splat looks like:
WARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]
Modules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_]
CPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27
Tainted: [W]=WARN
Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021
RIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]
Code: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff <0f> 0b f
RSP: 0018:ffff88881ba09928 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000
RDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8
RBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070
R10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080
R13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000
FS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<IRQ>
? __warn+0xcd/0x2f0
? bnxt_rx_pkt+0x479b/0x7610
? report_bug+0x326/0x3c0
? handle_bug+0x53/0xa0
? exc_invalid_op+0x14/0x50
? asm_exc_invalid_op+0x16/0x20
? bnxt_rx_pkt+0x479b/0x7610
? bnxt_rx_pkt+0x3e41/0x7610
? __pfx_bnxt_rx_pkt+0x10/0x10
? napi_complete_done+0x2cf/0x7d0
__bnxt_poll_work+0x4e8/0x1220
? __pfx___bnxt_poll_work+0x10/0x10
? __pfx_mark_lock.part.0+0x10/0x10
bnxt_poll_p5+0x36a/0xfa0
? __pfx_bnxt_poll_p5+0x10/0x10
__napi_poll.constprop.0+0xa0/0x440
net_rx_action+0x899/0xd00
...
Following ping.py patch adds xdp-mb-pass case. so ping.py is going
to be able to reproduce this issue.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < e8e3e03d69f2420eaa578199a65d281c58867105
(git)
Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < ee086c8e775f9690282e3d26471dbcfd5dad5a6a (git) Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < 5b57ed14a1b85e7ab0074d9668a0baa6c94826c7 (git) Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < 44578bc6460b8fca530fc7bd5897c115d9bd27e2 (git) Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < c03e7d05aa0e2f7e9a9ce5ad8a12471a53f941dc (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.132 , ≤ 6.1.* (semver) Unaffected: 6.6.84 , ≤ 6.6.* (semver) Unaffected: 6.12.20 , ≤ 6.12.* (semver) Unaffected: 6.13.8 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:40:02.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8e3e03d69f2420eaa578199a65d281c58867105",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
},
{
"lessThan": "ee086c8e775f9690282e3d26471dbcfd5dad5a6a",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
},
{
"lessThan": "5b57ed14a1b85e7ab0074d9668a0baa6c94826c7",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
},
{
"lessThan": "44578bc6460b8fca530fc7bd5897c115d9bd27e2",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
},
{
"lessThan": "c03e7d05aa0e2f7e9a9ce5ad8a12471a53f941dc",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.84",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.132",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.84",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: do not update checksum in bnxt_xdp_build_skb()\n\nThe bnxt_rx_pkt() updates ip_summed value at the end if checksum offload\nis enabled.\nWhen the XDP-MB program is attached and it returns XDP_PASS, the\nbnxt_xdp_build_skb() is called to update skb_shared_info.\nThe main purpose of bnxt_xdp_build_skb() is to update skb_shared_info,\nbut it updates ip_summed value too if checksum offload is enabled.\nThis is actually duplicate work.\n\nWhen the bnxt_rx_pkt() updates ip_summed value, it checks if ip_summed\nis CHECKSUM_NONE or not.\nIt means that ip_summed should be CHECKSUM_NONE at this moment.\nBut ip_summed may already be updated to CHECKSUM_UNNECESSARY in the\nXDP-MB-PASS path.\nSo the by skb_checksum_none_assert() WARNS about it.\n\nThis is duplicate work and updating ip_summed in the\nbnxt_xdp_build_skb() is not needed.\n\nSplat looks like:\nWARNING: CPU: 3 PID: 5782 at ./include/linux/skbuff.h:5155 bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]\nModules linked in: bnxt_re bnxt_en rdma_ucm rdma_cm iw_cm ib_cm ib_uverbs veth xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_]\nCPU: 3 UID: 0 PID: 5782 Comm: socat Tainted: G W 6.14.0-rc4+ #27\nTainted: [W]=WARN\nHardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\nRIP: 0010:bnxt_rx_pkt+0x479b/0x7610 [bnxt_en]\nCode: 54 24 0c 4c 89 f1 4c 89 ff c1 ea 1f ff d3 0f 1f 00 49 89 c6 48 85 c0 0f 84 4c e5 ff ff 48 89 c7 e8 ca 3d a0 c8 e9 8f f4 ff ff \u003c0f\u003e 0b f\nRSP: 0018:ffff88881ba09928 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000c7590303 RCX: 0000000000000000\nRDX: 1ffff1104e7d1610 RSI: 0000000000000001 RDI: ffff8881c91300b8\nRBP: ffff88881ba09b28 R08: ffff888273e8b0d0 R09: ffff888273e8b070\nR10: ffff888273e8b010 R11: ffff888278b0f000 R12: ffff888273e8b080\nR13: ffff8881c9130e00 R14: ffff8881505d3800 R15: ffff888273e8b000\nFS: 00007f5a2e7be080(0000) GS:ffff88881ba00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fff2e708ff8 CR3: 000000013e3b0000 CR4: 00000000007506f0\nPKRU: 55555554\nCall Trace:\n \u003cIRQ\u003e\n ? __warn+0xcd/0x2f0\n ? bnxt_rx_pkt+0x479b/0x7610\n ? report_bug+0x326/0x3c0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x14/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? bnxt_rx_pkt+0x479b/0x7610\n ? bnxt_rx_pkt+0x3e41/0x7610\n ? __pfx_bnxt_rx_pkt+0x10/0x10\n ? napi_complete_done+0x2cf/0x7d0\n __bnxt_poll_work+0x4e8/0x1220\n ? __pfx___bnxt_poll_work+0x10/0x10\n ? __pfx_mark_lock.part.0+0x10/0x10\n bnxt_poll_p5+0x36a/0xfa0\n ? __pfx_bnxt_poll_p5+0x10/0x10\n __napi_poll.constprop.0+0xa0/0x440\n net_rx_action+0x899/0xd00\n...\n\nFollowing ping.py patch adds xdp-mb-pass case. so ping.py is going\nto be able to reproduce this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:52.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8e3e03d69f2420eaa578199a65d281c58867105"
},
{
"url": "https://git.kernel.org/stable/c/ee086c8e775f9690282e3d26471dbcfd5dad5a6a"
},
{
"url": "https://git.kernel.org/stable/c/5b57ed14a1b85e7ab0074d9668a0baa6c94826c7"
},
{
"url": "https://git.kernel.org/stable/c/44578bc6460b8fca530fc7bd5897c115d9bd27e2"
},
{
"url": "https://git.kernel.org/stable/c/c03e7d05aa0e2f7e9a9ce5ad8a12471a53f941dc"
}
],
"title": "eth: bnxt: do not update checksum in bnxt_xdp_build_skb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21960",
"datePublished": "2025-04-01T15:46:58.291Z",
"dateReserved": "2024-12-29T08:45:45.795Z",
"dateUpdated": "2026-05-11T21:09:52.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21961 (GCVE-0-2025-21961)
Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2026-05-11 21:09
VLAI
EPSS
Title
eth: bnxt: fix truesize for mb-xdp-pass case
Summary
In the Linux kernel, the following vulnerability has been resolved:
eth: bnxt: fix truesize for mb-xdp-pass case
When mb-xdp is set and return is XDP_PASS, packet is converted from
xdp_buff to sk_buff with xdp_update_skb_shared_info() in
bnxt_xdp_build_skb().
bnxt_xdp_build_skb() passes incorrect truesize argument to
xdp_update_skb_shared_info().
The truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo->nr_frags but
the skb_shared_info was wiped by napi_build_skb() before.
So it stores sinfo->nr_frags before bnxt_xdp_build_skb() and use it
instead of getting skb_shared_info from xdp_get_shared_info_from_buff().
Splat looks like:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590
Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3
RIP: 0010:skb_try_coalesce+0x504/0x590
Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff <0f> 0b e99
RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287
RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0
RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003
RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900
R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740
R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
<IRQ>
? __warn+0x84/0x130
? skb_try_coalesce+0x504/0x590
? report_bug+0x18a/0x1a0
? handle_bug+0x53/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? skb_try_coalesce+0x504/0x590
inet_frag_reasm_finish+0x11f/0x2e0
ip_defrag+0x37a/0x900
ip_local_deliver+0x51/0x120
ip_sublist_rcv_finish+0x64/0x70
ip_sublist_rcv+0x179/0x210
ip_list_rcv+0xf9/0x130
How to reproduce:
<Node A>
ip link set $interface1 xdp obj xdp_pass.o
ip link set $interface1 mtu 9000 up
ip a a 10.0.0.1/24 dev $interface1
<Node B>
ip link set $interfac2 mtu 9000 up
ip a a 10.0.0.2/24 dev $interface2
ping 10.0.0.1 -s 65000
Following ping.py patch adds xdp-mb-pass case. so ping.py is going to be
able to reproduce this issue.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < 19107e71be330dbccb9f8f9f4cf0a9abeadad802
(git)
Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < b4679807c6083ade4d47f03f80da891afcb6ef62 (git) Affected: 1dc4c557bfedfcdf7fc0c46795857773b7ad66e7 , < 9f7b2aa5034e24d3c49db73d5f760c0435fe31c2 (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.12.20 , ≤ 6.12.* (semver) Unaffected: 6.13.8 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:15:46.557576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:15:48.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19107e71be330dbccb9f8f9f4cf0a9abeadad802",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
},
{
"lessThan": "b4679807c6083ade4d47f03f80da891afcb6ef62",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
},
{
"lessThan": "9f7b2aa5034e24d3c49db73d5f760c0435fe31c2",
"status": "affected",
"version": "1dc4c557bfedfcdf7fc0c46795857773b7ad66e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.20",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix truesize for mb-xdp-pass case\n\nWhen mb-xdp is set and return is XDP_PASS, packet is converted from\nxdp_buff to sk_buff with xdp_update_skb_shared_info() in\nbnxt_xdp_build_skb().\nbnxt_xdp_build_skb() passes incorrect truesize argument to\nxdp_update_skb_shared_info().\nThe truesize is calculated as BNXT_RX_PAGE_SIZE * sinfo-\u003enr_frags but\nthe skb_shared_info was wiped by napi_build_skb() before.\nSo it stores sinfo-\u003enr_frags before bnxt_xdp_build_skb() and use it\ninstead of getting skb_shared_info from xdp_get_shared_info_from_buff().\n\nSplat looks like:\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 0 at net/core/skbuff.c:6072 skb_try_coalesce+0x504/0x590\n Modules linked in: xt_nat xt_tcpudp veth af_packet xt_conntrack nft_chain_nat xt_MASQUERADE nf_conntrack_netlink xfrm_user xt_addrtype nft_coms\n CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.14.0-rc2+ #3\n RIP: 0010:skb_try_coalesce+0x504/0x590\n Code: 4b fd ff ff 49 8b 34 24 40 80 e6 40 0f 84 3d fd ff ff 49 8b 74 24 48 40 f6 c6 01 0f 84 2e fd ff ff 48 8d 4e ff e9 25 fd ff ff \u003c0f\u003e 0b e99\n RSP: 0018:ffffb62c4120caa8 EFLAGS: 00010287\n RAX: 0000000000000003 RBX: ffffb62c4120cb14 RCX: 0000000000000ec0\n RDX: 0000000000001000 RSI: ffffa06e5d7dc000 RDI: 0000000000000003\n RBP: ffffa06e5d7ddec0 R08: ffffa06e6120a800 R09: ffffa06e7a119900\n R10: 0000000000002310 R11: ffffa06e5d7dcec0 R12: ffffe4360575f740\n R13: ffffe43600000000 R14: 0000000000000002 R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffffa0755f700000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f147b76b0f8 CR3: 00000001615d4000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n \u003cIRQ\u003e\n ? __warn+0x84/0x130\n ? skb_try_coalesce+0x504/0x590\n ? report_bug+0x18a/0x1a0\n ? handle_bug+0x53/0x90\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? skb_try_coalesce+0x504/0x590\n inet_frag_reasm_finish+0x11f/0x2e0\n ip_defrag+0x37a/0x900\n ip_local_deliver+0x51/0x120\n ip_sublist_rcv_finish+0x64/0x70\n ip_sublist_rcv+0x179/0x210\n ip_list_rcv+0xf9/0x130\n\nHow to reproduce:\n\u003cNode A\u003e\nip link set $interface1 xdp obj xdp_pass.o\nip link set $interface1 mtu 9000 up\nip a a 10.0.0.1/24 dev $interface1\n\u003cNode B\u003e\nip link set $interfac2 mtu 9000 up\nip a a 10.0.0.2/24 dev $interface2\nping 10.0.0.1 -s 65000\n\nFollowing ping.py patch adds xdp-mb-pass case. so ping.py is going to be\nable to reproduce this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:09:53.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19107e71be330dbccb9f8f9f4cf0a9abeadad802"
},
{
"url": "https://git.kernel.org/stable/c/b4679807c6083ade4d47f03f80da891afcb6ef62"
},
{
"url": "https://git.kernel.org/stable/c/9f7b2aa5034e24d3c49db73d5f760c0435fe31c2"
}
],
"title": "eth: bnxt: fix truesize for mb-xdp-pass case",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21961",
"datePublished": "2025-04-01T15:46:58.795Z",
"dateReserved": "2024-12-29T08:45:45.795Z",
"dateUpdated": "2026-05-11T21:09:53.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…