Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1008
Vulnerability from certfr_avis - Published: 2025-11-14 - Updated: 2025-11-14
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 16.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 14.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40114"
},
{
"name": "CVE-2025-22083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22083"
},
{
"name": "CVE-2025-22033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22033"
},
{
"name": "CVE-2025-39728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39728"
},
{
"name": "CVE-2025-22025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22025"
},
{
"name": "CVE-2025-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22036"
},
{
"name": "CVE-2025-22027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22027"
},
{
"name": "CVE-2025-22040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22040"
},
{
"name": "CVE-2023-53034",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53034"
},
{
"name": "CVE-2024-27078",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27078"
},
{
"name": "CVE-2025-23138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23138"
},
{
"name": "CVE-2025-38152",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38152"
},
{
"name": "CVE-2025-22019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22019"
},
{
"name": "CVE-2025-22021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22021"
},
{
"name": "CVE-2025-21796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21796"
},
{
"name": "CVE-2024-35849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35849"
},
{
"name": "CVE-2025-22050",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22050"
},
{
"name": "CVE-2025-39735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39735"
},
{
"name": "CVE-2024-41006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41006"
},
{
"name": "CVE-2025-22095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22095"
},
{
"name": "CVE-2024-58092",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58092"
},
{
"name": "CVE-2024-53150",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53150"
},
{
"name": "CVE-2025-22039",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22039"
},
{
"name": "CVE-2025-37937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37937"
},
{
"name": "CVE-2021-47330",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47330"
},
{
"name": "CVE-2025-38637",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38637"
},
{
"name": "CVE-2025-22055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22055"
},
{
"name": "CVE-2025-22090",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22090"
},
{
"name": "CVE-2024-53124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53124"
},
{
"name": "CVE-2021-47319",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47319"
},
{
"name": "CVE-2025-22035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22035"
},
{
"name": "CVE-2023-52650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52650"
},
{
"name": "CVE-2025-22080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22080"
},
{
"name": "CVE-2025-23136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23136"
},
{
"name": "CVE-2025-37785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37785"
},
{
"name": "CVE-2024-50006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50006"
},
{
"name": "CVE-2025-22028",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22028"
},
{
"name": "CVE-2025-38118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38118"
},
{
"name": "CVE-2025-22044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22044"
},
{
"name": "CVE-2025-22062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22062"
},
{
"name": "CVE-2025-38575",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38575"
},
{
"name": "CVE-2025-38240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38240"
},
{
"name": "CVE-2025-22058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22058"
},
{
"name": "CVE-2025-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22018"
},
{
"name": "CVE-2025-22056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22056"
},
{
"name": "CVE-2025-22057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22057"
},
{
"name": "CVE-2021-47589",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47589"
},
{
"name": "CVE-2024-49924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49924"
},
{
"name": "CVE-2025-22068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22068"
},
{
"name": "CVE-2025-22045",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22045"
},
{
"name": "CVE-2021-47149",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47149"
},
{
"name": "CVE-2023-52574",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52574"
},
{
"name": "CVE-2025-22072",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22072"
},
{
"name": "CVE-2025-22060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22060"
},
{
"name": "CVE-2025-22066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22066"
},
{
"name": "CVE-2025-22047",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22047"
},
{
"name": "CVE-2025-22070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22070"
},
{
"name": "CVE-2025-22071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22071"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2025-22075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22075"
},
{
"name": "CVE-2025-22065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22065"
},
{
"name": "CVE-2025-22097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22097"
},
{
"name": "CVE-2025-22020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22020"
},
{
"name": "CVE-2021-47294",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47294"
},
{
"name": "CVE-2025-40300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40300"
},
{
"name": "CVE-2025-22063",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22063"
},
{
"name": "CVE-2024-56767",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56767"
},
{
"name": "CVE-2025-37838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37838"
},
{
"name": "CVE-2025-38352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38352"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2025-22042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22042"
},
{
"name": "CVE-2025-22038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22038"
},
{
"name": "CVE-2025-22089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22089"
},
{
"name": "CVE-2024-50299",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50299"
},
{
"name": "CVE-2025-22054",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22054"
},
{
"name": "CVE-2025-22086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22086"
},
{
"name": "CVE-2025-39682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39682"
},
{
"name": "CVE-2025-22073",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22073"
},
{
"name": "CVE-2025-22064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22064"
},
{
"name": "CVE-2025-22053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22053"
},
{
"name": "CVE-2025-22079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22079"
},
{
"name": "CVE-2025-22041",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22041"
},
{
"name": "CVE-2025-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22081"
}
],
"initial_release_date": "2025-11-14T00:00:00",
"last_revision_date": "2025-11-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1008",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2025-11-07",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7853-3",
"url": "https://ubuntu.com/security/notices/USN-7853-3"
},
{
"published_at": "2025-11-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7862-3",
"url": "https://ubuntu.com/security/notices/USN-7862-3"
},
{
"published_at": "2025-11-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7865-1",
"url": "https://ubuntu.com/security/notices/USN-7865-1"
},
{
"published_at": "2025-11-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7862-2",
"url": "https://ubuntu.com/security/notices/USN-7862-2"
},
{
"published_at": "2025-11-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7860-5",
"url": "https://ubuntu.com/security/notices/USN-7860-5"
},
{
"published_at": "2025-11-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7861-3",
"url": "https://ubuntu.com/security/notices/USN-7861-3"
},
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7835-6",
"url": "https://ubuntu.com/security/notices/USN-7835-6"
}
]
}
CVE-2025-22055 (GCVE-0-2025-22055)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
net: fix geneve_opt length integer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix geneve_opt length integer overflow
struct geneve_opt uses 5 bit length for each single option, which
means every vary size option should be smaller than 128 bytes.
However, all current related Netlink policies cannot promise this
length condition and the attacker can exploit a exact 128-byte size
option to *fake* a zero length option and confuse the parsing logic,
further achieve heap out-of-bounds read.
One example crash log is like below:
[ 3.905425] ==================================================================
[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
[ 3.906646]
[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 3.907784] Call Trace:
[ 3.907925] <TASK>
[ 3.908048] dump_stack_lvl+0x44/0x5c
[ 3.908258] print_report+0x184/0x4be
[ 3.909151] kasan_report+0xc5/0x100
[ 3.909539] kasan_check_range+0xf3/0x1a0
[ 3.909794] memcpy+0x1f/0x60
[ 3.909968] nla_put+0xa9/0xe0
[ 3.910147] tunnel_key_dump+0x945/0xba0
[ 3.911536] tcf_action_dump_1+0x1c1/0x340
[ 3.912436] tcf_action_dump+0x101/0x180
[ 3.912689] tcf_exts_dump+0x164/0x1e0
[ 3.912905] fw_dump+0x18b/0x2d0
[ 3.913483] tcf_fill_node+0x2ee/0x460
[ 3.914778] tfilter_notify+0xf4/0x180
[ 3.915208] tc_new_tfilter+0xd51/0x10d0
[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560
[ 3.919118] netlink_rcv_skb+0xcd/0x200
[ 3.919787] netlink_unicast+0x395/0x530
[ 3.921032] netlink_sendmsg+0x3d0/0x6d0
[ 3.921987] __sock_sendmsg+0x99/0xa0
[ 3.922220] __sys_sendto+0x1b7/0x240
[ 3.922682] __x64_sys_sendto+0x72/0x90
[ 3.922906] do_syscall_64+0x5e/0x90
[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 3.924122] RIP: 0033:0x7e83eab84407
[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8
Fix these issues by enforing correct length condition in related
policies.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < a2cb85f989e2074e2f392e00188c438cab3de088
(git)
Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < b4513ad0f391871d3feee8ddf535609a3aabeeac (git) Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < 21748669c5825761cbbf47cbeeb01387ddccc8cb (git) Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < 5a2976cc4d9c36ff58a0f10e35ce4283cbaa9c0e (git) Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < 2952776c69a1a551649ed770bf22e3f691f6ec65 (git) Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < 738ae5712215fe9181587d582b23333f02c62ca6 (git) Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < 4d606069bdd3c76f8ab1f06796c97ef7f4746807 (git) Affected: 0ed5269f9e41f495c8e9020c85f5e1644c1afc57 , < b27055a08ad4b415dcf15b63034f9cb236f7fb40 (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:38.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel_core.c",
"net/netfilter/nft_tunnel.c",
"net/sched/act_tunnel_key.c",
"net/sched/cls_flower.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2cb85f989e2074e2f392e00188c438cab3de088",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "b4513ad0f391871d3feee8ddf535609a3aabeeac",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "21748669c5825761cbbf47cbeeb01387ddccc8cb",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "5a2976cc4d9c36ff58a0f10e35ce4283cbaa9c0e",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "2952776c69a1a551649ed770bf22e3f691f6ec65",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "738ae5712215fe9181587d582b23333f02c62ca6",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "4d606069bdd3c76f8ab1f06796c97ef7f4746807",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
},
{
"lessThan": "b27055a08ad4b415dcf15b63034f9cb236f7fb40",
"status": "affected",
"version": "0ed5269f9e41f495c8e9020c85f5e1644c1afc57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/ip_tunnel_core.c",
"net/netfilter/nft_tunnel.c",
"net/sched/act_tunnel_key.c",
"net/sched/cls_flower.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix geneve_opt length integer overflow\n\nstruct geneve_opt uses 5 bit length for each single option, which\nmeans every vary size option should be smaller than 128 bytes.\n\nHowever, all current related Netlink policies cannot promise this\nlength condition and the attacker can exploit a exact 128-byte size\noption to *fake* a zero length option and confuse the parsing logic,\nfurther achieve heap out-of-bounds read.\n\nOne example crash log is like below:\n\n[ 3.905425] ==================================================================\n[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0\n[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177\n[ 3.906646]\n[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1\n[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 3.907784] Call Trace:\n[ 3.907925] \u003cTASK\u003e\n[ 3.908048] dump_stack_lvl+0x44/0x5c\n[ 3.908258] print_report+0x184/0x4be\n[ 3.909151] kasan_report+0xc5/0x100\n[ 3.909539] kasan_check_range+0xf3/0x1a0\n[ 3.909794] memcpy+0x1f/0x60\n[ 3.909968] nla_put+0xa9/0xe0\n[ 3.910147] tunnel_key_dump+0x945/0xba0\n[ 3.911536] tcf_action_dump_1+0x1c1/0x340\n[ 3.912436] tcf_action_dump+0x101/0x180\n[ 3.912689] tcf_exts_dump+0x164/0x1e0\n[ 3.912905] fw_dump+0x18b/0x2d0\n[ 3.913483] tcf_fill_node+0x2ee/0x460\n[ 3.914778] tfilter_notify+0xf4/0x180\n[ 3.915208] tc_new_tfilter+0xd51/0x10d0\n[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560\n[ 3.919118] netlink_rcv_skb+0xcd/0x200\n[ 3.919787] netlink_unicast+0x395/0x530\n[ 3.921032] netlink_sendmsg+0x3d0/0x6d0\n[ 3.921987] __sock_sendmsg+0x99/0xa0\n[ 3.922220] __sys_sendto+0x1b7/0x240\n[ 3.922682] __x64_sys_sendto+0x72/0x90\n[ 3.922906] do_syscall_64+0x5e/0x90\n[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 3.924122] RIP: 0033:0x7e83eab84407\n[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\n[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407\n[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003\n[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c\n[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0\n[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8\n\nFix these issues by enforing correct length condition in related\npolicies."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:46.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2cb85f989e2074e2f392e00188c438cab3de088"
},
{
"url": "https://git.kernel.org/stable/c/b4513ad0f391871d3feee8ddf535609a3aabeeac"
},
{
"url": "https://git.kernel.org/stable/c/21748669c5825761cbbf47cbeeb01387ddccc8cb"
},
{
"url": "https://git.kernel.org/stable/c/5a2976cc4d9c36ff58a0f10e35ce4283cbaa9c0e"
},
{
"url": "https://git.kernel.org/stable/c/2952776c69a1a551649ed770bf22e3f691f6ec65"
},
{
"url": "https://git.kernel.org/stable/c/738ae5712215fe9181587d582b23333f02c62ca6"
},
{
"url": "https://git.kernel.org/stable/c/4d606069bdd3c76f8ab1f06796c97ef7f4746807"
},
{
"url": "https://git.kernel.org/stable/c/b27055a08ad4b415dcf15b63034f9cb236f7fb40"
}
],
"title": "net: fix geneve_opt length integer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22055",
"datePublished": "2025-04-16T14:12:12.595Z",
"dateReserved": "2024-12-29T08:45:45.811Z",
"dateUpdated": "2026-05-11T21:11:46.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22056 (GCVE-0-2025-22056)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
netfilter: nft_tunnel: fix geneve_opt type confusion addition
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_tunnel: fix geneve_opt type confusion addition
When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
parsing logic should place every geneve_opt structure one by one
compactly. Hence, when deciding the next geneve_opt position, the
pointer addition should be in units of char *.
However, the current implementation erroneously does type conversion
before the addition, which will lead to heap out-of-bounds write.
[ 6.989857] ==================================================================
[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
[ 6.991162]
[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 6.992281] Call Trace:
[ 6.992423] <TASK>
[ 6.992586] dump_stack_lvl+0x44/0x5c
[ 6.992801] print_report+0x184/0x4be
[ 6.993790] kasan_report+0xc5/0x100
[ 6.994252] kasan_check_range+0xf3/0x1a0
[ 6.994486] memcpy+0x38/0x60
[ 6.994692] nft_tunnel_obj_init+0x977/0xa70
[ 6.995677] nft_obj_init+0x10c/0x1b0
[ 6.995891] nf_tables_newobj+0x585/0x950
[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
[ 6.998997] nfnetlink_rcv+0x1df/0x220
[ 6.999537] netlink_unicast+0x395/0x530
[ 7.000771] netlink_sendmsg+0x3d0/0x6d0
[ 7.001462] __sock_sendmsg+0x99/0xa0
[ 7.001707] ____sys_sendmsg+0x409/0x450
[ 7.002391] ___sys_sendmsg+0xfd/0x170
[ 7.003145] __sys_sendmsg+0xea/0x170
[ 7.004359] do_syscall_64+0x5e/0x90
[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 7.006127] RIP: 0033:0x7ec756d4e407
[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
Fix this bug with correct pointer addition and conversion in parse
and dump code.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
925d844696d9287f841d6b3e0ed62a35fb175970 , < 31d49eb436f2da61280508d7adf8c9b473b967aa
(git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < ca2adfc03cd6273f0b589fe65afc6f75e0fe116e (git) Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < a263d31c8c92e5919d41af57d9479cfb66323782 (git) Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 28d88ee1e1cc8ac2d79aeb112717b97c5c833d43 (git) Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 0a93a710d6df334b828ea064c6d39fda34f901dc (git) Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 446d94898c560ed2f61e26ae445858a4c4830762 (git) Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 708e268acb3a446ad2a8a3d2e9bd41cc23660cd6 (git) Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 1b755d8eb1ace3870789d48fbd94f386ad6e30be (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:41:22.716014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:41:26.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:41.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31d49eb436f2da61280508d7adf8c9b473b967aa",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "ca2adfc03cd6273f0b589fe65afc6f75e0fe116e",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "a263d31c8c92e5919d41af57d9479cfb66323782",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "28d88ee1e1cc8ac2d79aeb112717b97c5c833d43",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "0a93a710d6df334b828ea064c6d39fda34f901dc",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "446d94898c560ed2f61e26ae445858a4c4830762",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "708e268acb3a446ad2a8a3d2e9bd41cc23660cd6",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
},
{
"lessThan": "1b755d8eb1ace3870789d48fbd94f386ad6e30be",
"status": "affected",
"version": "925d844696d9287f841d6b3e0ed62a35fb175970",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_tunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_tunnel: fix geneve_opt type confusion addition\n\nWhen handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the\nparsing logic should place every geneve_opt structure one by one\ncompactly. Hence, when deciding the next geneve_opt position, the\npointer addition should be in units of char *.\n\nHowever, the current implementation erroneously does type conversion\nbefore the addition, which will lead to heap out-of-bounds write.\n\n[ 6.989857] ==================================================================\n[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70\n[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178\n[ 6.991162]\n[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1\n[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 6.992281] Call Trace:\n[ 6.992423] \u003cTASK\u003e\n[ 6.992586] dump_stack_lvl+0x44/0x5c\n[ 6.992801] print_report+0x184/0x4be\n[ 6.993790] kasan_report+0xc5/0x100\n[ 6.994252] kasan_check_range+0xf3/0x1a0\n[ 6.994486] memcpy+0x38/0x60\n[ 6.994692] nft_tunnel_obj_init+0x977/0xa70\n[ 6.995677] nft_obj_init+0x10c/0x1b0\n[ 6.995891] nf_tables_newobj+0x585/0x950\n[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020\n[ 6.998997] nfnetlink_rcv+0x1df/0x220\n[ 6.999537] netlink_unicast+0x395/0x530\n[ 7.000771] netlink_sendmsg+0x3d0/0x6d0\n[ 7.001462] __sock_sendmsg+0x99/0xa0\n[ 7.001707] ____sys_sendmsg+0x409/0x450\n[ 7.002391] ___sys_sendmsg+0xfd/0x170\n[ 7.003145] __sys_sendmsg+0xea/0x170\n[ 7.004359] do_syscall_64+0x5e/0x90\n[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 7.006127] RIP: 0033:0x7ec756d4e407\n[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407\n[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003\n[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000\n[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8\n\nFix this bug with correct pointer addition and conversion in parse\nand dump code."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:47.291Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31d49eb436f2da61280508d7adf8c9b473b967aa"
},
{
"url": "https://git.kernel.org/stable/c/ca2adfc03cd6273f0b589fe65afc6f75e0fe116e"
},
{
"url": "https://git.kernel.org/stable/c/a263d31c8c92e5919d41af57d9479cfb66323782"
},
{
"url": "https://git.kernel.org/stable/c/28d88ee1e1cc8ac2d79aeb112717b97c5c833d43"
},
{
"url": "https://git.kernel.org/stable/c/0a93a710d6df334b828ea064c6d39fda34f901dc"
},
{
"url": "https://git.kernel.org/stable/c/446d94898c560ed2f61e26ae445858a4c4830762"
},
{
"url": "https://git.kernel.org/stable/c/708e268acb3a446ad2a8a3d2e9bd41cc23660cd6"
},
{
"url": "https://git.kernel.org/stable/c/1b755d8eb1ace3870789d48fbd94f386ad6e30be"
}
],
"title": "netfilter: nft_tunnel: fix geneve_opt type confusion addition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22056",
"datePublished": "2025-04-16T14:12:13.440Z",
"dateReserved": "2024-12-29T08:45:45.812Z",
"dateUpdated": "2026-05-11T21:11:47.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22057 (GCVE-0-2025-22057)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
net: decrease cached dst counters in dst_release
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: decrease cached dst counters in dst_release
Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in
dst_release()") moved decrementing the dst count from dst_destroy to
dst_release to avoid accessing already freed data in case of netns
dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels
are used, this fix is incomplete as the same issue will be seen for
cached dsts:
Unable to handle kernel paging request at virtual address ffff5aabf6b5c000
Call trace:
percpu_counter_add_batch+0x3c/0x160 (P)
dst_release+0xec/0x108
dst_cache_destroy+0x68/0xd8
dst_destroy+0x13c/0x168
dst_destroy_rcu+0x1c/0xb0
rcu_do_batch+0x18c/0x7d0
rcu_core+0x174/0x378
rcu_core_si+0x18/0x30
Fix this by invalidating the cache, and thus decrementing cached dst
counters, in dst_release too.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 , < ccc331fd5bcae131d2627d5ef099d4a1f6540aea
(git)
Affected: d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 , < 92a5c18513117be69bc00419dd1724c1940f8fcd (git) Affected: d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 , < 836415a8405c9665ae55352fc5ba865c242f5e4f (git) Affected: d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 , < e833e7ad64eb2f63867f65303be49ca30ee8819e (git) Affected: d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 , < 3a0a3ff6593d670af2451ec363ccb7b18aec0c0a (git) |
|
| Linux | Linux |
Affected:
4.6
Unaffected: 0 , < 4.6 (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ccc331fd5bcae131d2627d5ef099d4a1f6540aea",
"status": "affected",
"version": "d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8",
"versionType": "git"
},
{
"lessThan": "92a5c18513117be69bc00419dd1724c1940f8fcd",
"status": "affected",
"version": "d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8",
"versionType": "git"
},
{
"lessThan": "836415a8405c9665ae55352fc5ba865c242f5e4f",
"status": "affected",
"version": "d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8",
"versionType": "git"
},
{
"lessThan": "e833e7ad64eb2f63867f65303be49ca30ee8819e",
"status": "affected",
"version": "d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8",
"versionType": "git"
},
{
"lessThan": "3a0a3ff6593d670af2451ec363ccb7b18aec0c0a",
"status": "affected",
"version": "d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: decrease cached dst counters in dst_release\n\nUpstream fix ac888d58869b (\"net: do not delay dst_entries_add() in\ndst_release()\") moved decrementing the dst count from dst_destroy to\ndst_release to avoid accessing already freed data in case of netns\ndismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels\nare used, this fix is incomplete as the same issue will be seen for\ncached dsts:\n\n Unable to handle kernel paging request at virtual address ffff5aabf6b5c000\n Call trace:\n percpu_counter_add_batch+0x3c/0x160 (P)\n dst_release+0xec/0x108\n dst_cache_destroy+0x68/0xd8\n dst_destroy+0x13c/0x168\n dst_destroy_rcu+0x1c/0xb0\n rcu_do_batch+0x18c/0x7d0\n rcu_core+0x174/0x378\n rcu_core_si+0x18/0x30\n\nFix this by invalidating the cache, and thus decrementing cached dst\ncounters, in dst_release too."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:48.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ccc331fd5bcae131d2627d5ef099d4a1f6540aea"
},
{
"url": "https://git.kernel.org/stable/c/92a5c18513117be69bc00419dd1724c1940f8fcd"
},
{
"url": "https://git.kernel.org/stable/c/836415a8405c9665ae55352fc5ba865c242f5e4f"
},
{
"url": "https://git.kernel.org/stable/c/e833e7ad64eb2f63867f65303be49ca30ee8819e"
},
{
"url": "https://git.kernel.org/stable/c/3a0a3ff6593d670af2451ec363ccb7b18aec0c0a"
}
],
"title": "net: decrease cached dst counters in dst_release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22057",
"datePublished": "2025-04-16T14:12:14.234Z",
"dateReserved": "2024-12-29T08:45:45.812Z",
"dateUpdated": "2026-05-11T21:11:48.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22058 (GCVE-0-2025-22058)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
udp: Fix memory accounting leak.
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: Fix memory accounting leak.
Matt Dowling reported a weird UDP memory usage issue.
Under normal operation, the UDP memory usage reported in /proc/net/sockstat
remains close to zero. However, it occasionally spiked to 524,288 pages
and never dropped. Moreover, the value doubled when the application was
terminated. Finally, it caused intermittent packet drops.
We can reproduce the issue with the script below [0]:
1. /proc/net/sockstat reports 0 pages
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 0
2. Run the script till the report reaches 524,288
# python3 test.py & sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT
3. Kill the socket and confirm the number never drops
# pkill python3 && sleep 5
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 524288
4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()
# python3 test.py & sleep 1 && pkill python3
5. The number doubles
# cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 1048577
The application set INT_MAX to SO_RCVBUF, which triggered an integer
overflow in udp_rmem_release().
When a socket is close()d, udp_destruct_common() purges its receive
queue and sums up skb->truesize in the queue. This total is calculated
and stored in a local unsigned integer variable.
The total size is then passed to udp_rmem_release() to adjust memory
accounting. However, because the function takes a signed integer
argument, the total size can wrap around, causing an overflow.
Then, the released amount is calculated as follows:
1) Add size to sk->sk_forward_alloc.
2) Round down sk->sk_forward_alloc to the nearest lower multiple of
PAGE_SIZE and assign it to amount.
3) Subtract amount from sk->sk_forward_alloc.
4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated().
When the issue occurred, the total in udp_destruct_common() was 2147484480
(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().
At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and
2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't
see a warning in inet_sock_destruct(). However, udp_memory_allocated
ends up doubling at 4).
Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for
memory_allocated"), memory usage no longer doubles immediately after
a socket is close()d because __sk_mem_reduce_allocated() caches the
amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP
socket receives a packet, the subtraction takes effect, causing UDP
memory usage to double.
This issue makes further memory allocation fail once the socket's
sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet
drops.
To prevent this issue, let's use unsigned int for the calculation and
call sk_forward_alloc_add() only once for the small delta.
Note that first_packet_length() also potentially has the same problem.
[0]:
from socket import *
SO_RCVBUFFORCE = 33
INT_MAX = (2 ** 31) - 1
s = socket(AF_INET, SOCK_DGRAM)
s.bind(('', 0))
s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)
c = socket(AF_INET, SOCK_DGRAM)
c.connect(s.getsockname())
data = b'a' * 100
while True:
c.send(data)
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < 13550273171f5108b1ac572d8f72f4256ab92854
(git)
Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < d9c8266ce536e8314d84370e983afcaa36fb19cf (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < c3ad8c30b6b109283d2643e925f8e65f2e7ab34e (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < 9122fec396950cc866137af7154b1d0d989be52e (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < aeef6456692c6f11ae53d278df64f1316a2a405a (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < a116b271bf3cb72c8155b6b7f39083c1b80dcd00 (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < c4bac6c398118fba79e32b1cd01db22dbfe29fbf (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < 3836029448e76c1e6f77cc5fe0adc09b018b5fa8 (git) Affected: f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb , < df207de9d9e7a4d92f8567e2c539d9c8c12fd99d (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:42.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13550273171f5108b1ac572d8f72f4256ab92854",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "d9c8266ce536e8314d84370e983afcaa36fb19cf",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "c3ad8c30b6b109283d2643e925f8e65f2e7ab34e",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "9122fec396950cc866137af7154b1d0d989be52e",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "aeef6456692c6f11ae53d278df64f1316a2a405a",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "a116b271bf3cb72c8155b6b7f39083c1b80dcd00",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "c4bac6c398118fba79e32b1cd01db22dbfe29fbf",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "3836029448e76c1e6f77cc5fe0adc09b018b5fa8",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
},
{
"lessThan": "df207de9d9e7a4d92f8567e2c539d9c8c12fd99d",
"status": "affected",
"version": "f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Fix memory accounting leak.\n\nMatt Dowling reported a weird UDP memory usage issue.\n\nUnder normal operation, the UDP memory usage reported in /proc/net/sockstat\nremains close to zero. However, it occasionally spiked to 524,288 pages\nand never dropped. Moreover, the value doubled when the application was\nterminated. Finally, it caused intermittent packet drops.\n\nWe can reproduce the issue with the script below [0]:\n\n 1. /proc/net/sockstat reports 0 pages\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 0\n\n 2. Run the script till the report reaches 524,288\n\n # python3 test.py \u0026 sleep 5\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 3 mem 524288 \u003c-- (INT_MAX + 1) \u003e\u003e PAGE_SHIFT\n\n 3. Kill the socket and confirm the number never drops\n\n # pkill python3 \u0026\u0026 sleep 5\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 524288\n\n 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()\n\n # python3 test.py \u0026 sleep 1 \u0026\u0026 pkill python3\n\n 5. The number doubles\n\n # cat /proc/net/sockstat | grep UDP:\n UDP: inuse 1 mem 1048577\n\nThe application set INT_MAX to SO_RCVBUF, which triggered an integer\noverflow in udp_rmem_release().\n\nWhen a socket is close()d, udp_destruct_common() purges its receive\nqueue and sums up skb-\u003etruesize in the queue. This total is calculated\nand stored in a local unsigned integer variable.\n\nThe total size is then passed to udp_rmem_release() to adjust memory\naccounting. However, because the function takes a signed integer\nargument, the total size can wrap around, causing an overflow.\n\nThen, the released amount is calculated as follows:\n\n 1) Add size to sk-\u003esk_forward_alloc.\n 2) Round down sk-\u003esk_forward_alloc to the nearest lower multiple of\n PAGE_SIZE and assign it to amount.\n 3) Subtract amount from sk-\u003esk_forward_alloc.\n 4) Pass amount \u003e\u003e PAGE_SHIFT to __sk_mem_reduce_allocated().\n\nWhen the issue occurred, the total in udp_destruct_common() was 2147484480\n(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().\n\nAt 1) sk-\u003esk_forward_alloc is changed from 3264 to -2147479552, and\n2) sets -2147479552 to amount. 3) reverts the wraparound, so we don\u0027t\nsee a warning in inet_sock_destruct(). However, udp_memory_allocated\nends up doubling at 4).\n\nSince commit 3cd3399dd7a8 (\"net: implement per-cpu reserves for\nmemory_allocated\"), memory usage no longer doubles immediately after\na socket is close()d because __sk_mem_reduce_allocated() caches the\namount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP\nsocket receives a packet, the subtraction takes effect, causing UDP\nmemory usage to double.\n\nThis issue makes further memory allocation fail once the socket\u0027s\nsk-\u003esk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet\ndrops.\n\nTo prevent this issue, let\u0027s use unsigned int for the calculation and\ncall sk_forward_alloc_add() only once for the small delta.\n\nNote that first_packet_length() also potentially has the same problem.\n\n[0]:\nfrom socket import *\n\nSO_RCVBUFFORCE = 33\nINT_MAX = (2 ** 31) - 1\n\ns = socket(AF_INET, SOCK_DGRAM)\ns.bind((\u0027\u0027, 0))\ns.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)\n\nc = socket(AF_INET, SOCK_DGRAM)\nc.connect(s.getsockname())\n\ndata = b\u0027a\u0027 * 100\n\nwhile True:\n c.send(data)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:49.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13550273171f5108b1ac572d8f72f4256ab92854"
},
{
"url": "https://git.kernel.org/stable/c/d9c8266ce536e8314d84370e983afcaa36fb19cf"
},
{
"url": "https://git.kernel.org/stable/c/c3ad8c30b6b109283d2643e925f8e65f2e7ab34e"
},
{
"url": "https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e"
},
{
"url": "https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a"
},
{
"url": "https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00"
},
{
"url": "https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf"
},
{
"url": "https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8"
},
{
"url": "https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d"
}
],
"title": "udp: Fix memory accounting leak.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22058",
"datePublished": "2025-04-16T14:12:14.876Z",
"dateReserved": "2024-12-29T08:45:45.812Z",
"dateUpdated": "2026-05-11T21:11:49.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22060 (GCVE-0-2025-22060)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
net: mvpp2: Prevent parser TCAM memory corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvpp2: Prevent parser TCAM memory corruption
Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM
information, from concurrent modifications.
Both the TCAM and SRAM tables are indirectly accessed by configuring
an index register that selects the row to read or write to. This means
that operations must be atomic in order to, e.g., avoid spreading
writes across multiple rows. Since the shadow SRAM array is used to
find free rows in the hardware table, it must also be protected in
order to avoid TOCTOU errors where multiple cores allocate the same
row.
This issue was detected in a situation where `mvpp2_set_rx_mode()` ran
concurrently on two CPUs. In this particular case the
MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the
classifier unit to drop all incoming unicast - indicated by the
`rx_classifier_drops` counter.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3f518509dedc99f0b755d2ce68d24f610e3a005a , < e3711163d14d02af9005e4cdad30899c565f13fb
(git)
Affected: 3f518509dedc99f0b755d2ce68d24f610e3a005a , < b3f48a41a00d6d8d9c6fe09ae47dd21c8c1c8b03 (git) Affected: 3f518509dedc99f0b755d2ce68d24f610e3a005a , < 5b0ae1723a7d9574ae1aee7d9cf9757a30069865 (git) Affected: 3f518509dedc99f0b755d2ce68d24f610e3a005a , < fcbfb54a0269875cf3cd6a2bff4f85a2e0a0b552 (git) Affected: 3f518509dedc99f0b755d2ce68d24f610e3a005a , < e64e9b6e86b39db3baa576fd73da73533b54cb2d (git) Affected: 3f518509dedc99f0b755d2ce68d24f610e3a005a , < 46c1e23e34c9d1eaadf37f88216d9d8ce0d0bcee (git) Affected: 3f518509dedc99f0b755d2ce68d24f610e3a005a , < 96844075226b49af25a69a1d084b648ec2d9b08d (git) |
|
| Linux | Linux |
Affected:
3.17
Unaffected: 0 , < 3.17 (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:43.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2.h",
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c",
"drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3711163d14d02af9005e4cdad30899c565f13fb",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
},
{
"lessThan": "b3f48a41a00d6d8d9c6fe09ae47dd21c8c1c8b03",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
},
{
"lessThan": "5b0ae1723a7d9574ae1aee7d9cf9757a30069865",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
},
{
"lessThan": "fcbfb54a0269875cf3cd6a2bff4f85a2e0a0b552",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
},
{
"lessThan": "e64e9b6e86b39db3baa576fd73da73533b54cb2d",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
},
{
"lessThan": "46c1e23e34c9d1eaadf37f88216d9d8ce0d0bcee",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
},
{
"lessThan": "96844075226b49af25a69a1d084b648ec2d9b08d",
"status": "affected",
"version": "3f518509dedc99f0b755d2ce68d24f610e3a005a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/mvpp2/mvpp2.h",
"drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c",
"drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: Prevent parser TCAM memory corruption\n\nProtect the parser TCAM/SRAM memory, and the cached (shadow) SRAM\ninformation, from concurrent modifications.\n\nBoth the TCAM and SRAM tables are indirectly accessed by configuring\nan index register that selects the row to read or write to. This means\nthat operations must be atomic in order to, e.g., avoid spreading\nwrites across multiple rows. Since the shadow SRAM array is used to\nfind free rows in the hardware table, it must also be protected in\norder to avoid TOCTOU errors where multiple cores allocate the same\nrow.\n\nThis issue was detected in a situation where `mvpp2_set_rx_mode()` ran\nconcurrently on two CPUs. In this particular case the\nMVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the\nclassifier unit to drop all incoming unicast - indicated by the\n`rx_classifier_drops` counter."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:51.906Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3711163d14d02af9005e4cdad30899c565f13fb"
},
{
"url": "https://git.kernel.org/stable/c/b3f48a41a00d6d8d9c6fe09ae47dd21c8c1c8b03"
},
{
"url": "https://git.kernel.org/stable/c/5b0ae1723a7d9574ae1aee7d9cf9757a30069865"
},
{
"url": "https://git.kernel.org/stable/c/fcbfb54a0269875cf3cd6a2bff4f85a2e0a0b552"
},
{
"url": "https://git.kernel.org/stable/c/e64e9b6e86b39db3baa576fd73da73533b54cb2d"
},
{
"url": "https://git.kernel.org/stable/c/46c1e23e34c9d1eaadf37f88216d9d8ce0d0bcee"
},
{
"url": "https://git.kernel.org/stable/c/96844075226b49af25a69a1d084b648ec2d9b08d"
}
],
"title": "net: mvpp2: Prevent parser TCAM memory corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22060",
"datePublished": "2025-04-16T14:12:16.121Z",
"dateReserved": "2024-12-29T08:45:45.812Z",
"dateUpdated": "2026-05-11T21:11:51.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22062 (GCVE-0-2025-22062)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
sctp: add mutual exclusion in proc_sctp_do_udp_port()
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: add mutual exclusion in proc_sctp_do_udp_port()
We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start()
or risk a crash as syzbot reported:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653
Call Trace:
<TASK>
udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181
sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930
proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553
proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601
iter_file_splice_write+0x91c/0x1150 fs/splice.c:738
do_splice_from fs/splice.c:935 [inline]
direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158
splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102
do_splice_direct_actor fs/splice.c:1201 [inline]
do_splice_direct+0x174/0x240 fs/splice.c:1227
do_sendfile+0xafd/0xe50 fs/read_write.c:1368
__do_sys_sendfile64 fs/read_write.c:1429 [inline]
__se_sys_sendfile64 fs/read_write.c:1415 [inline]
__x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
046c052b475e7119b6a30e3483e2888fc606a2f8 , < 65ccb2793da7401772a3ffe85355c831b313c59f
(git)
Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < 386507cb6fb7cdef598ddcb3f0fa37e6ca9e789d (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < b3598f53211ba1025485306de2733bdd241311a3 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < e5178bfc55b3a78000f0f8298e7ade88783ce581 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < efb8cb487be8f4ba6aaef616011d702d6a083ed1 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < d3d7675d77622f6ca1aae14c51f80027b36283f8 (git) Affected: 046c052b475e7119b6a30e3483e2888fc606a2f8 , < 10206302af856791fbcc27a33ed3c3eb09b2793d (git) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 5.15.184 , ≤ 5.15.* (semver) Unaffected: 6.1.140 , ≤ 6.1.* (semver) Unaffected: 6.6.92 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:45.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65ccb2793da7401772a3ffe85355c831b313c59f",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "386507cb6fb7cdef598ddcb3f0fa37e6ca9e789d",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "b3598f53211ba1025485306de2733bdd241311a3",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "e5178bfc55b3a78000f0f8298e7ade88783ce581",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "efb8cb487be8f4ba6aaef616011d702d6a083ed1",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "d3d7675d77622f6ca1aae14c51f80027b36283f8",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
},
{
"lessThan": "10206302af856791fbcc27a33ed3c3eb09b2793d",
"status": "affected",
"version": "046c052b475e7119b6a30e3483e2888fc606a2f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sysctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.184",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.184",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.140",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.92",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: add mutual exclusion in proc_sctp_do_udp_port()\n\nWe must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start()\nor risk a crash as syzbot reported:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\n RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653\nCall Trace:\n \u003cTASK\u003e\n udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181\n sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930\n proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553\n proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601\n iter_file_splice_write+0x91c/0x1150 fs/splice.c:738\n do_splice_from fs/splice.c:935 [inline]\n direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158\n splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102\n do_splice_direct_actor fs/splice.c:1201 [inline]\n do_splice_direct+0x174/0x240 fs/splice.c:1227\n do_sendfile+0xafd/0xe50 fs/read_write.c:1368\n __do_sys_sendfile64 fs/read_write.c:1429 [inline]\n __se_sys_sendfile64 fs/read_write.c:1415 [inline]\n __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:54.273Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ccb2793da7401772a3ffe85355c831b313c59f"
},
{
"url": "https://git.kernel.org/stable/c/386507cb6fb7cdef598ddcb3f0fa37e6ca9e789d"
},
{
"url": "https://git.kernel.org/stable/c/b3598f53211ba1025485306de2733bdd241311a3"
},
{
"url": "https://git.kernel.org/stable/c/e5178bfc55b3a78000f0f8298e7ade88783ce581"
},
{
"url": "https://git.kernel.org/stable/c/efb8cb487be8f4ba6aaef616011d702d6a083ed1"
},
{
"url": "https://git.kernel.org/stable/c/d3d7675d77622f6ca1aae14c51f80027b36283f8"
},
{
"url": "https://git.kernel.org/stable/c/10206302af856791fbcc27a33ed3c3eb09b2793d"
}
],
"title": "sctp: add mutual exclusion in proc_sctp_do_udp_port()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22062",
"datePublished": "2025-04-16T14:12:17.605Z",
"dateReserved": "2024-12-29T08:45:45.813Z",
"dateUpdated": "2026-05-11T21:11:54.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22063 (GCVE-0-2025-22063)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
When calling netlbl_conn_setattr(), addr->sa_family is used
to determine the function behavior. If sk is an IPv4 socket,
but the connect function is called with an IPv6 address,
the function calipso_sock_setattr() is triggered.
Inside this function, the following code is executed:
sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
Since sk is an IPv4 socket, pinet6 is NULL, leading to a
null pointer dereference.
This patch fixes the issue by checking if inet6_sk(sk)
returns a NULL pointer before accessing pinet6.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ceba1832b1b2da0149c51de62a847c00bca1677a , < 1ad9166cab6a0f5c0b10344a97bdf749ae11dcbf
(git)
Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 1e38f7a6cdd68377f8a4189b2fbaec14a6dd5152 (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < a7e89541d05b98c79a51c0f95df020f8e82b62ed (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 797e5371cf55463b4530bab3fef5f27f7c6657a8 (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 1927d0bcd5b81e80971bf6b8eba267508bd1c78b (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 3ba9cf69de50e8abed32b448616c313baa4c5712 (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 9fe3839588db7519030377b7dee3f165e654f6c5 (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 172a8a996a337206970467e871dd995ac07640b1 (git) Affected: ceba1832b1b2da0149c51de62a847c00bca1677a , < 078aabd567de3d63d37d7673f714e309d369e6e2 (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:40:57.902233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:41:00.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:48.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1ad9166cab6a0f5c0b10344a97bdf749ae11dcbf",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "1e38f7a6cdd68377f8a4189b2fbaec14a6dd5152",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "a7e89541d05b98c79a51c0f95df020f8e82b62ed",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "797e5371cf55463b4530bab3fef5f27f7c6657a8",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "1927d0bcd5b81e80971bf6b8eba267508bd1c78b",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "3ba9cf69de50e8abed32b448616c313baa4c5712",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "9fe3839588db7519030377b7dee3f165e654f6c5",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "172a8a996a337206970467e871dd995ac07640b1",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
},
{
"lessThan": "078aabd567de3d63d37d7673f714e309d369e6e2",
"status": "affected",
"version": "ceba1832b1b2da0149c51de62a847c00bca1677a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/calipso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets\n\nWhen calling netlbl_conn_setattr(), addr-\u003esa_family is used\nto determine the function behavior. If sk is an IPv4 socket,\nbut the connect function is called with an IPv6 address,\nthe function calipso_sock_setattr() is triggered.\nInside this function, the following code is executed:\n\nsk_fullsock(__sk) ? inet_sk(__sk)-\u003epinet6 : NULL;\n\nSince sk is an IPv4 socket, pinet6 is NULL, leading to a\nnull pointer dereference.\n\nThis patch fixes the issue by checking if inet6_sk(sk)\nreturns a NULL pointer before accessing pinet6."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:55.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ad9166cab6a0f5c0b10344a97bdf749ae11dcbf"
},
{
"url": "https://git.kernel.org/stable/c/1e38f7a6cdd68377f8a4189b2fbaec14a6dd5152"
},
{
"url": "https://git.kernel.org/stable/c/a7e89541d05b98c79a51c0f95df020f8e82b62ed"
},
{
"url": "https://git.kernel.org/stable/c/797e5371cf55463b4530bab3fef5f27f7c6657a8"
},
{
"url": "https://git.kernel.org/stable/c/1927d0bcd5b81e80971bf6b8eba267508bd1c78b"
},
{
"url": "https://git.kernel.org/stable/c/3ba9cf69de50e8abed32b448616c313baa4c5712"
},
{
"url": "https://git.kernel.org/stable/c/9fe3839588db7519030377b7dee3f165e654f6c5"
},
{
"url": "https://git.kernel.org/stable/c/172a8a996a337206970467e871dd995ac07640b1"
},
{
"url": "https://git.kernel.org/stable/c/078aabd567de3d63d37d7673f714e309d369e6e2"
}
],
"title": "netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22063",
"datePublished": "2025-04-16T14:12:18.222Z",
"dateReserved": "2024-12-29T08:45:45.813Z",
"dateUpdated": "2026-05-11T21:11:55.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22064 (GCVE-0-2025-22064)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-23 15:57
VLAI
EPSS
Title
netfilter: nf_tables: don't unregister hook when table is dormant
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: don't unregister hook when table is dormant
When nf_tables_updchain encounters an error, hook registration needs to
be rolled back.
This should only be done if the hook has been registered, which won't
happen when the table is flagged as dormant (inactive).
Just move the assignment into the registration block.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b9703ed44ffbfba85c103b9de01886a225e14b38 , < 6134d1ea1e1408e8e7c8c26545b3b301cbdf1eda
(git)
Affected: b9703ed44ffbfba85c103b9de01886a225e14b38 , < feb1fa2a03a27fec7001e93e4223be4120d1784b (git) Affected: b9703ed44ffbfba85c103b9de01886a225e14b38 , < 03d1fb457b696c18fe15661440c4f052b2374e7e (git) Affected: b9703ed44ffbfba85c103b9de01886a225e14b38 , < ce571eba07d54e3637bf334bc48376fbfa55defe (git) Affected: b9703ed44ffbfba85c103b9de01886a225e14b38 , < 688c15017d5cd5aac882400782e7213d40dc3556 (git) Affected: d131ce7a319d3bff68d5a9d5509bb22e4ce33946 (git) Affected: 6.3.3 , < 6.4 (semver) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6134d1ea1e1408e8e7c8c26545b3b301cbdf1eda",
"status": "affected",
"version": "b9703ed44ffbfba85c103b9de01886a225e14b38",
"versionType": "git"
},
{
"lessThan": "feb1fa2a03a27fec7001e93e4223be4120d1784b",
"status": "affected",
"version": "b9703ed44ffbfba85c103b9de01886a225e14b38",
"versionType": "git"
},
{
"lessThan": "03d1fb457b696c18fe15661440c4f052b2374e7e",
"status": "affected",
"version": "b9703ed44ffbfba85c103b9de01886a225e14b38",
"versionType": "git"
},
{
"lessThan": "ce571eba07d54e3637bf334bc48376fbfa55defe",
"status": "affected",
"version": "b9703ed44ffbfba85c103b9de01886a225e14b38",
"versionType": "git"
},
{
"lessThan": "688c15017d5cd5aac882400782e7213d40dc3556",
"status": "affected",
"version": "b9703ed44ffbfba85c103b9de01886a225e14b38",
"versionType": "git"
},
{
"status": "affected",
"version": "d131ce7a319d3bff68d5a9d5509bb22e4ce33946",
"versionType": "git"
},
{
"lessThan": "6.4",
"status": "affected",
"version": "6.3.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don\u0027t unregister hook when table is dormant\n\nWhen nf_tables_updchain encounters an error, hook registration needs to\nbe rolled back.\n\nThis should only be done if the hook has been registered, which won\u0027t\nhappen when the table is flagged as dormant (inactive).\n\nJust move the assignment into the registration block."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:57:47.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6134d1ea1e1408e8e7c8c26545b3b301cbdf1eda"
},
{
"url": "https://git.kernel.org/stable/c/feb1fa2a03a27fec7001e93e4223be4120d1784b"
},
{
"url": "https://git.kernel.org/stable/c/03d1fb457b696c18fe15661440c4f052b2374e7e"
},
{
"url": "https://git.kernel.org/stable/c/ce571eba07d54e3637bf334bc48376fbfa55defe"
},
{
"url": "https://git.kernel.org/stable/c/688c15017d5cd5aac882400782e7213d40dc3556"
}
],
"title": "netfilter: nf_tables: don\u0027t unregister hook when table is dormant",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22064",
"datePublished": "2025-04-16T14:12:18.870Z",
"dateReserved": "2024-12-29T08:45:45.813Z",
"dateUpdated": "2026-05-23T15:57:47.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22065 (GCVE-0-2025-22065)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
idpf: fix adapter NULL pointer dereference on reboot
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix adapter NULL pointer dereference on reboot
With SRIOV enabled, idpf ends up calling into idpf_remove() twice.
First via idpf_shutdown() and then again when idpf_remove() calls into
sriov_disable(), because the VF devices use the idpf driver, hence the
same remove routine. When that happens, it is possible for the adapter
to be NULL from the first call to idpf_remove(), leading to a NULL
pointer dereference.
echo 1 > /sys/class/net/<netif>/device/sriov_numvfs
reboot
BUG: kernel NULL pointer dereference, address: 0000000000000020
...
RIP: 0010:idpf_remove+0x22/0x1f0 [idpf]
...
? idpf_remove+0x22/0x1f0 [idpf]
? idpf_remove+0x1e4/0x1f0 [idpf]
pci_device_remove+0x3f/0xb0
device_release_driver_internal+0x19f/0x200
pci_stop_bus_device+0x6d/0x90
pci_stop_and_remove_bus_device+0x12/0x20
pci_iov_remove_virtfn+0xbe/0x120
sriov_disable+0x34/0xe0
idpf_sriov_configure+0x58/0x140 [idpf]
idpf_remove+0x1b9/0x1f0 [idpf]
idpf_shutdown+0x12/0x30 [idpf]
pci_device_shutdown+0x35/0x60
device_shutdown+0x156/0x200
...
Replace the direct idpf_remove() call in idpf_shutdown() with
idpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform
the bulk of the cleanup, such as stopping the init task, freeing IRQs,
destroying the vports and freeing the mailbox. This avoids the calls to
sriov_disable() in addition to a small netdev cleanup, and destroying
workqueues, which don't seem to be required on shutdown.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e850efed5e152e6bdd367d5b82019f21298c0653 , < 79618e952ef4dfa1a17ee0631d5549603fab58d8
(git)
Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 88a6d562e92a295648f8636acf2a6aa714241771 (git) Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6 (git) Affected: e850efed5e152e6bdd367d5b82019f21298c0653 , < 4c9106f4906a85f6b13542d862e423bcdc118cc3 (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:40:33.775371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:40:36.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79618e952ef4dfa1a17ee0631d5549603fab58d8",
"status": "affected",
"version": "e850efed5e152e6bdd367d5b82019f21298c0653",
"versionType": "git"
},
{
"lessThan": "88a6d562e92a295648f8636acf2a6aa714241771",
"status": "affected",
"version": "e850efed5e152e6bdd367d5b82019f21298c0653",
"versionType": "git"
},
{
"lessThan": "9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6",
"status": "affected",
"version": "e850efed5e152e6bdd367d5b82019f21298c0653",
"versionType": "git"
},
{
"lessThan": "4c9106f4906a85f6b13542d862e423bcdc118cc3",
"status": "affected",
"version": "e850efed5e152e6bdd367d5b82019f21298c0653",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix adapter NULL pointer dereference on reboot\n\nWith SRIOV enabled, idpf ends up calling into idpf_remove() twice.\nFirst via idpf_shutdown() and then again when idpf_remove() calls into\nsriov_disable(), because the VF devices use the idpf driver, hence the\nsame remove routine. When that happens, it is possible for the adapter\nto be NULL from the first call to idpf_remove(), leading to a NULL\npointer dereference.\n\necho 1 \u003e /sys/class/net/\u003cnetif\u003e/device/sriov_numvfs\nreboot\n\nBUG: kernel NULL pointer dereference, address: 0000000000000020\n...\nRIP: 0010:idpf_remove+0x22/0x1f0 [idpf]\n...\n? idpf_remove+0x22/0x1f0 [idpf]\n? idpf_remove+0x1e4/0x1f0 [idpf]\npci_device_remove+0x3f/0xb0\ndevice_release_driver_internal+0x19f/0x200\npci_stop_bus_device+0x6d/0x90\npci_stop_and_remove_bus_device+0x12/0x20\npci_iov_remove_virtfn+0xbe/0x120\nsriov_disable+0x34/0xe0\nidpf_sriov_configure+0x58/0x140 [idpf]\nidpf_remove+0x1b9/0x1f0 [idpf]\nidpf_shutdown+0x12/0x30 [idpf]\npci_device_shutdown+0x35/0x60\ndevice_shutdown+0x156/0x200\n...\n\nReplace the direct idpf_remove() call in idpf_shutdown() with\nidpf_vc_core_deinit() and idpf_deinit_dflt_mbx(), which perform\nthe bulk of the cleanup, such as stopping the init task, freeing IRQs,\ndestroying the vports and freeing the mailbox. This avoids the calls to\nsriov_disable() in addition to a small netdev cleanup, and destroying\nworkqueues, which don\u0027t seem to be required on shutdown."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:57.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79618e952ef4dfa1a17ee0631d5549603fab58d8"
},
{
"url": "https://git.kernel.org/stable/c/88a6d562e92a295648f8636acf2a6aa714241771"
},
{
"url": "https://git.kernel.org/stable/c/9fc9b3dc0d0c189ed205acf1e5fbd73e0becc4d6"
},
{
"url": "https://git.kernel.org/stable/c/4c9106f4906a85f6b13542d862e423bcdc118cc3"
}
],
"title": "idpf: fix adapter NULL pointer dereference on reboot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22065",
"datePublished": "2025-04-16T14:12:19.492Z",
"dateReserved": "2024-12-29T08:45:45.813Z",
"dateUpdated": "2026-05-11T21:11:57.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22066 (GCVE-0-2025-22066)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:11
VLAI
EPSS
Title
ASoC: imx-card: Add NULL check in imx_card_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: imx-card: Add NULL check in imx_card_probe()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
imx_card_probe() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
aa736700f42fa0813e286ca2f9274ffaa25163b9 , < 018e6cf2503e60087747b0ebc190e18b3640766f
(git)
Affected: aa736700f42fa0813e286ca2f9274ffaa25163b9 , < 38253922a89a742e7e622f626b41c64388367361 (git) Affected: aa736700f42fa0813e286ca2f9274ffaa25163b9 , < e283a5bf4337a7300ac5e6ae363cc8b242a0b4b7 (git) Affected: aa736700f42fa0813e286ca2f9274ffaa25163b9 , < 4d8458e48ff135bddc402ad79821dc058ea163d0 (git) Affected: aa736700f42fa0813e286ca2f9274ffaa25163b9 , < b01700e08be99e3842570142ec5973ccd7e73eaf (git) Affected: aa736700f42fa0813e286ca2f9274ffaa25163b9 , < dd2bbb9564d0d24a2643ad90008a79840368c4b4 (git) Affected: aa736700f42fa0813e286ca2f9274ffaa25163b9 , < 93d34608fd162f725172e780b1c60cc93a920719 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:39:45.872645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:39:48.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:41:49.509Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/imx-card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "018e6cf2503e60087747b0ebc190e18b3640766f",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
},
{
"lessThan": "38253922a89a742e7e622f626b41c64388367361",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
},
{
"lessThan": "e283a5bf4337a7300ac5e6ae363cc8b242a0b4b7",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
},
{
"lessThan": "4d8458e48ff135bddc402ad79821dc058ea163d0",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
},
{
"lessThan": "b01700e08be99e3842570142ec5973ccd7e73eaf",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
},
{
"lessThan": "dd2bbb9564d0d24a2643ad90008a79840368c4b4",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
},
{
"lessThan": "93d34608fd162f725172e780b1c60cc93a920719",
"status": "affected",
"version": "aa736700f42fa0813e286ca2f9274ffaa25163b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/imx-card.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: imx-card: Add NULL check in imx_card_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nimx_card_probe() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:11:58.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/018e6cf2503e60087747b0ebc190e18b3640766f"
},
{
"url": "https://git.kernel.org/stable/c/38253922a89a742e7e622f626b41c64388367361"
},
{
"url": "https://git.kernel.org/stable/c/e283a5bf4337a7300ac5e6ae363cc8b242a0b4b7"
},
{
"url": "https://git.kernel.org/stable/c/4d8458e48ff135bddc402ad79821dc058ea163d0"
},
{
"url": "https://git.kernel.org/stable/c/b01700e08be99e3842570142ec5973ccd7e73eaf"
},
{
"url": "https://git.kernel.org/stable/c/dd2bbb9564d0d24a2643ad90008a79840368c4b4"
},
{
"url": "https://git.kernel.org/stable/c/93d34608fd162f725172e780b1c60cc93a920719"
}
],
"title": "ASoC: imx-card: Add NULL check in imx_card_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22066",
"datePublished": "2025-04-16T14:12:20.125Z",
"dateReserved": "2024-12-29T08:45:45.813Z",
"dateUpdated": "2026-05-11T21:11:58.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…