Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1008
Vulnerability from certfr_avis - Published: 2025-11-14 - Updated: 2025-11-14
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 16.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 14.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40114"
},
{
"name": "CVE-2025-22083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22083"
},
{
"name": "CVE-2025-22033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22033"
},
{
"name": "CVE-2025-39728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39728"
},
{
"name": "CVE-2025-22025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22025"
},
{
"name": "CVE-2025-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22036"
},
{
"name": "CVE-2025-22027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22027"
},
{
"name": "CVE-2025-22040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22040"
},
{
"name": "CVE-2023-53034",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53034"
},
{
"name": "CVE-2024-27078",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27078"
},
{
"name": "CVE-2025-23138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23138"
},
{
"name": "CVE-2025-38152",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38152"
},
{
"name": "CVE-2025-22019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22019"
},
{
"name": "CVE-2025-22021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22021"
},
{
"name": "CVE-2025-21796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21796"
},
{
"name": "CVE-2024-35849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35849"
},
{
"name": "CVE-2025-22050",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22050"
},
{
"name": "CVE-2025-39735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39735"
},
{
"name": "CVE-2024-41006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41006"
},
{
"name": "CVE-2025-22095",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22095"
},
{
"name": "CVE-2024-58092",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-58092"
},
{
"name": "CVE-2024-53150",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53150"
},
{
"name": "CVE-2025-22039",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22039"
},
{
"name": "CVE-2025-37937",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37937"
},
{
"name": "CVE-2021-47330",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47330"
},
{
"name": "CVE-2025-38637",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38637"
},
{
"name": "CVE-2025-22055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22055"
},
{
"name": "CVE-2025-22090",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22090"
},
{
"name": "CVE-2024-53124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53124"
},
{
"name": "CVE-2021-47319",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47319"
},
{
"name": "CVE-2025-22035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22035"
},
{
"name": "CVE-2023-52650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52650"
},
{
"name": "CVE-2025-22080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22080"
},
{
"name": "CVE-2025-23136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23136"
},
{
"name": "CVE-2025-37785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37785"
},
{
"name": "CVE-2024-50006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50006"
},
{
"name": "CVE-2025-22028",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22028"
},
{
"name": "CVE-2025-38118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38118"
},
{
"name": "CVE-2025-22044",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22044"
},
{
"name": "CVE-2025-22062",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22062"
},
{
"name": "CVE-2025-38575",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38575"
},
{
"name": "CVE-2025-38240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38240"
},
{
"name": "CVE-2025-22058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22058"
},
{
"name": "CVE-2025-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22018"
},
{
"name": "CVE-2025-22056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22056"
},
{
"name": "CVE-2025-22057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22057"
},
{
"name": "CVE-2021-47589",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47589"
},
{
"name": "CVE-2024-49924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49924"
},
{
"name": "CVE-2025-22068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22068"
},
{
"name": "CVE-2025-22045",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22045"
},
{
"name": "CVE-2021-47149",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47149"
},
{
"name": "CVE-2023-52574",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52574"
},
{
"name": "CVE-2025-22072",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22072"
},
{
"name": "CVE-2025-22060",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22060"
},
{
"name": "CVE-2025-22066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22066"
},
{
"name": "CVE-2025-22047",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22047"
},
{
"name": "CVE-2025-22070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22070"
},
{
"name": "CVE-2025-22071",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22071"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2025-22075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22075"
},
{
"name": "CVE-2025-22065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22065"
},
{
"name": "CVE-2025-22097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22097"
},
{
"name": "CVE-2025-22020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22020"
},
{
"name": "CVE-2021-47294",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47294"
},
{
"name": "CVE-2025-40300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40300"
},
{
"name": "CVE-2025-22063",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22063"
},
{
"name": "CVE-2024-56767",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56767"
},
{
"name": "CVE-2025-37838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37838"
},
{
"name": "CVE-2025-38352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38352"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2025-22042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22042"
},
{
"name": "CVE-2025-22038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22038"
},
{
"name": "CVE-2025-22089",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22089"
},
{
"name": "CVE-2024-50299",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50299"
},
{
"name": "CVE-2025-22054",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22054"
},
{
"name": "CVE-2025-22086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22086"
},
{
"name": "CVE-2025-39682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39682"
},
{
"name": "CVE-2025-22073",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22073"
},
{
"name": "CVE-2025-22064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22064"
},
{
"name": "CVE-2025-22053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22053"
},
{
"name": "CVE-2025-22079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22079"
},
{
"name": "CVE-2025-22041",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22041"
},
{
"name": "CVE-2025-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22081"
}
],
"initial_release_date": "2025-11-14T00:00:00",
"last_revision_date": "2025-11-14T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1008",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2025-11-07",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7853-3",
"url": "https://ubuntu.com/security/notices/USN-7853-3"
},
{
"published_at": "2025-11-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7862-3",
"url": "https://ubuntu.com/security/notices/USN-7862-3"
},
{
"published_at": "2025-11-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7865-1",
"url": "https://ubuntu.com/security/notices/USN-7865-1"
},
{
"published_at": "2025-11-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7862-2",
"url": "https://ubuntu.com/security/notices/USN-7862-2"
},
{
"published_at": "2025-11-10",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7860-5",
"url": "https://ubuntu.com/security/notices/USN-7860-5"
},
{
"published_at": "2025-11-13",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7861-3",
"url": "https://ubuntu.com/security/notices/USN-7861-3"
},
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7835-6",
"url": "https://ubuntu.com/security/notices/USN-7835-6"
}
]
}
CVE-2025-22086 (GCVE-0-2025-22086)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:12
VLAI
EPSS
Title
RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
When cur_qp isn't NULL, in order to avoid fetching the QP from
the radix tree again we check if the next cqe QP is identical to
the one we already have.
The bug however is that we are checking if the QP is identical by
checking the QP number inside the CQE against the QP number inside the
mlx5_ib_qp, but that's wrong since the QP number from the CQE is from
FW so it should be matched against mlx5_core_qp which is our FW QP
number.
Otherwise we could use the wrong QP when handling a CQE which could
cause the kernel trace below.
This issue is mainly noticeable over QPs 0 & 1, since for now they are
the only QPs in our driver whereas the QP number inside mlx5_ib_qp
doesn't match the QP number inside mlx5_core_qp.
BUG: kernel NULL pointer dereference, address: 0000000000000012
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP
CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21
RSP: 0018:ffff88810511bd60 EFLAGS: 00010046
RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a
RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000
R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0
FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0
Call Trace:
<TASK>
? __die+0x20/0x60
? page_fault_oops+0x150/0x3e0
? exc_page_fault+0x74/0x130
? asm_exc_page_fault+0x22/0x30
? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
__ib_process_cq+0x5a/0x150 [ib_core]
ib_cq_poll_work+0x31/0x90 [ib_core]
process_one_work+0x169/0x320
worker_thread+0x288/0x3a0
? work_busy+0xb0/0xb0
kthread+0xd7/0x1f0
? kthreads_online_cpu+0x130/0x130
? kthreads_online_cpu+0x130/0x130
ret_from_fork+0x2d/0x50
? kthreads_online_cpu+0x130/0x130
ret_from_fork_asm+0x11/0x20
</TASK>
Severity
No CVSS data available.
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < 3b97d77049856865ac5ce8ffbc6e716928310f7f
(git)
Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < 856d9e5d72dc44eca6d5a153581c58fbd84e92e1 (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < f0447ceb8a31d79bee7144f98f9a13f765531e1a (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < dc7139b7031d877acd73d7eff55670f22f48cd5e (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < 7c51a6964b45b6d40027abd77e89cef30d26dc5a (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < cad677085274ecf9c7565b5bfc5d2e49acbf174c (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < 55c65a64aefa6267b964d90e9a4039cb68ec73a5 (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < d52636eb13ccba448a752964cc6fc49970912874 (git) Affected: e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c , < 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd (git) |
|
| Linux | Linux |
Affected:
3.11
Unaffected: 0 , < 3.11 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:06.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/cq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b97d77049856865ac5ce8ffbc6e716928310f7f",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "856d9e5d72dc44eca6d5a153581c58fbd84e92e1",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "f0447ceb8a31d79bee7144f98f9a13f765531e1a",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "dc7139b7031d877acd73d7eff55670f22f48cd5e",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "7c51a6964b45b6d40027abd77e89cef30d26dc5a",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "cad677085274ecf9c7565b5bfc5d2e49acbf174c",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "55c65a64aefa6267b964d90e9a4039cb68ec73a5",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "d52636eb13ccba448a752964cc6fc49970912874",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
},
{
"lessThan": "5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd",
"status": "affected",
"version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/cq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow\n\nWhen cur_qp isn\u0027t NULL, in order to avoid fetching the QP from\nthe radix tree again we check if the next cqe QP is identical to\nthe one we already have.\n\nThe bug however is that we are checking if the QP is identical by\nchecking the QP number inside the CQE against the QP number inside the\nmlx5_ib_qp, but that\u0027s wrong since the QP number from the CQE is from\nFW so it should be matched against mlx5_core_qp which is our FW QP\nnumber.\n\nOtherwise we could use the wrong QP when handling a CQE which could\ncause the kernel trace below.\n\nThis issue is mainly noticeable over QPs 0 \u0026 1, since for now they are\nthe only QPs in our driver whereas the QP number inside mlx5_ib_qp\ndoesn\u0027t match the QP number inside mlx5_core_qp.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]\n Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 \u003c0f\u003e b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21\n RSP: 0018:ffff88810511bd60 EFLAGS: 00010046\n RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a\n RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000\n R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0\n FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0\n Call Trace:\n \u003cTASK\u003e\n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]\n __ib_process_cq+0x5a/0x150 [ib_core]\n ib_cq_poll_work+0x31/0x90 [ib_core]\n process_one_work+0x169/0x320\n worker_thread+0x288/0x3a0\n ? work_busy+0xb0/0xb0\n kthread+0xd7/0x1f0\n ? kthreads_online_cpu+0x130/0x130\n ? kthreads_online_cpu+0x130/0x130\n ret_from_fork+0x2d/0x50\n ? kthreads_online_cpu+0x130/0x130\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:12:23.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b97d77049856865ac5ce8ffbc6e716928310f7f"
},
{
"url": "https://git.kernel.org/stable/c/856d9e5d72dc44eca6d5a153581c58fbd84e92e1"
},
{
"url": "https://git.kernel.org/stable/c/f0447ceb8a31d79bee7144f98f9a13f765531e1a"
},
{
"url": "https://git.kernel.org/stable/c/dc7139b7031d877acd73d7eff55670f22f48cd5e"
},
{
"url": "https://git.kernel.org/stable/c/7c51a6964b45b6d40027abd77e89cef30d26dc5a"
},
{
"url": "https://git.kernel.org/stable/c/cad677085274ecf9c7565b5bfc5d2e49acbf174c"
},
{
"url": "https://git.kernel.org/stable/c/55c65a64aefa6267b964d90e9a4039cb68ec73a5"
},
{
"url": "https://git.kernel.org/stable/c/d52636eb13ccba448a752964cc6fc49970912874"
},
{
"url": "https://git.kernel.org/stable/c/5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd"
}
],
"title": "RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22086",
"datePublished": "2025-04-16T14:12:34.560Z",
"dateReserved": "2024-12-29T08:45:45.816Z",
"dateUpdated": "2026-05-11T21:12:23.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22089 (GCVE-0-2025-22089)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:12
VLAI
EPSS
Title
RDMA/core: Don't expose hw_counters outside of init net namespace
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Don't expose hw_counters outside of init net namespace
Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs
attributes") accidentally almost exposed hw counters to non-init net
namespaces. It didn't expose them fully, as an attempt to read any of
those counters leads to a crash like this one:
[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028
[42021.814463] #PF: supervisor read access in kernel mode
[42021.819549] #PF: error_code(0x0000) - not-present page
[42021.824636] PGD 0 P4D 0
[42021.827145] Oops: 0000 [#1] SMP PTI
[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX
[42021.841697] Hardware name: XXX
[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]
[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48
[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287
[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000
[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0
[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000
[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530
[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000
[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000
[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0
[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[42021.949324] Call Trace:
[42021.951756] <TASK>
[42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70
[42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0
[42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0
[42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0
[42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30
[42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]
[42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]
[42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50
[42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0
[42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410
[42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0
[42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0
[42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0
[42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2
The problem can be reproduced using the following steps:
ip netns add foo
ip netns exec foo bash
cat /sys/class/infiniband/mlx4_0/hw_counters/*
The panic occurs because of casting the device pointer into an
ib_device pointer using container_of() in hw_stat_device_show() is
wrong and leads to a memory corruption.
However the real problem is that hw counters should never been exposed
outside of the non-init net namespace.
Fix this by saving the index of the corresponding attribute group
(it might be 1 or 2 depending on the presence of driver-specific
attributes) and zeroing the pointer to hw_counters group for compat
devices during the initialization.
With this fix applied hw_counters are not available in a non-init
net namespace:
find /sys/class/infiniband/mlx4_0/ -name hw_counters
/sys/class/infiniband/mlx4_0/ports/1/hw_counters
/sys/class/infiniband/mlx4_0/ports/2/hw_counters
/sys/class/infiniband/mlx4_0/hw_counters
ip netns add foo
ip netns exec foo bash
find /sys/class/infiniband/mlx4_0/ -name hw_counters
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
467f432a521a284c418e3d521ee51840a5e23424 , < 9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529
(git)
Affected: 467f432a521a284c418e3d521ee51840a5e23424 , < d5212b99649c5740154f307e9e3d7fee9bf62773 (git) Affected: 467f432a521a284c418e3d521ee51840a5e23424 , < 0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78 (git) Affected: 467f432a521a284c418e3d521ee51840a5e23424 , < df45ae2a4f1cdfda00c032839e12092e1f32c05e (git) Affected: 467f432a521a284c418e3d521ee51840a5e23424 , < c14d9704f5d77a7c7fa46e2114b64a4f75b64e17 (git) Affected: 467f432a521a284c418e3d521ee51840a5e23424 , < 6682da5d8fd578a5068531d01633c9d2e4c8f12b (git) Affected: 467f432a521a284c418e3d521ee51840a5e23424 , < a1ecb30f90856b0be4168ad51b8875148e285c1f (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:08.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c",
"drivers/infiniband/core/sysfs.c",
"include/rdma/ib_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
},
{
"lessThan": "d5212b99649c5740154f307e9e3d7fee9bf62773",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
},
{
"lessThan": "0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
},
{
"lessThan": "df45ae2a4f1cdfda00c032839e12092e1f32c05e",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
},
{
"lessThan": "c14d9704f5d77a7c7fa46e2114b64a4f75b64e17",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
},
{
"lessThan": "6682da5d8fd578a5068531d01633c9d2e4c8f12b",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
},
{
"lessThan": "a1ecb30f90856b0be4168ad51b8875148e285c1f",
"status": "affected",
"version": "467f432a521a284c418e3d521ee51840a5e23424",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/device.c",
"drivers/infiniband/core/sysfs.c",
"include/rdma/ib_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Don\u0027t expose hw_counters outside of init net namespace\n\nCommit 467f432a521a (\"RDMA/core: Split port and device counter sysfs\nattributes\") accidentally almost exposed hw counters to non-init net\nnamespaces. It didn\u0027t expose them fully, as an attempt to read any of\nthose counters leads to a crash like this one:\n\n[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028\n[42021.814463] #PF: supervisor read access in kernel mode\n[42021.819549] #PF: error_code(0x0000) - not-present page\n[42021.824636] PGD 0 P4D 0\n[42021.827145] Oops: 0000 [#1] SMP PTI\n[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX\n[42021.841697] Hardware name: XXX\n[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff \u003c48\u003e 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48\n[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287\n[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000\n[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0\n[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000\n[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530\n[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000\n[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000\n[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0\n[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[42021.949324] Call Trace:\n[42021.951756] \u003cTASK\u003e\n[42021.953842] [\u003cffffffff86c58674\u003e] ? show_regs+0x64/0x70\n[42021.959030] [\u003cffffffff86c58468\u003e] ? __die+0x78/0xc0\n[42021.963874] [\u003cffffffff86c9ef75\u003e] ? page_fault_oops+0x2b5/0x3b0\n[42021.969749] [\u003cffffffff87674b92\u003e] ? exc_page_fault+0x1a2/0x3c0\n[42021.975549] [\u003cffffffff87801326\u003e] ? asm_exc_page_fault+0x26/0x30\n[42021.981517] [\u003cffffffffc0775680\u003e] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]\n[42021.988482] [\u003cffffffffc077564e\u003e] ? hw_stat_device_show+0x1e/0x40 [ib_core]\n[42021.995438] [\u003cffffffff86ac7f8e\u003e] dev_attr_show+0x1e/0x50\n[42022.000803] [\u003cffffffff86a3eeb1\u003e] sysfs_kf_seq_show+0x81/0xe0\n[42022.006508] [\u003cffffffff86a11134\u003e] seq_read_iter+0xf4/0x410\n[42022.011954] [\u003cffffffff869f4b2e\u003e] vfs_read+0x16e/0x2f0\n[42022.017058] [\u003cffffffff869f50ee\u003e] ksys_read+0x6e/0xe0\n[42022.022073] [\u003cffffffff8766f1ca\u003e] do_syscall_64+0x6a/0xa0\n[42022.027441] [\u003cffffffff8780013b\u003e] entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nThe problem can be reproduced using the following steps:\n ip netns add foo\n ip netns exec foo bash\n cat /sys/class/infiniband/mlx4_0/hw_counters/*\n\nThe panic occurs because of casting the device pointer into an\nib_device pointer using container_of() in hw_stat_device_show() is\nwrong and leads to a memory corruption.\n\nHowever the real problem is that hw counters should never been exposed\noutside of the non-init net namespace.\n\nFix this by saving the index of the corresponding attribute group\n(it might be 1 or 2 depending on the presence of driver-specific\nattributes) and zeroing the pointer to hw_counters group for compat\ndevices during the initialization.\n\nWith this fix applied hw_counters are not available in a non-init\nnet namespace:\n find /sys/class/infiniband/mlx4_0/ -name hw_counters\n /sys/class/infiniband/mlx4_0/ports/1/hw_counters\n /sys/class/infiniband/mlx4_0/ports/2/hw_counters\n /sys/class/infiniband/mlx4_0/hw_counters\n\n ip netns add foo\n ip netns exec foo bash\n find /sys/class/infiniband/mlx4_0/ -name hw_counters"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:12:40.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a5b7f8842a90a5e6eeff37f9f6d814e61ea3529"
},
{
"url": "https://git.kernel.org/stable/c/d5212b99649c5740154f307e9e3d7fee9bf62773"
},
{
"url": "https://git.kernel.org/stable/c/0cf80f924aecb5b2bebd4f4ad11b2efc676a0b78"
},
{
"url": "https://git.kernel.org/stable/c/df45ae2a4f1cdfda00c032839e12092e1f32c05e"
},
{
"url": "https://git.kernel.org/stable/c/c14d9704f5d77a7c7fa46e2114b64a4f75b64e17"
},
{
"url": "https://git.kernel.org/stable/c/6682da5d8fd578a5068531d01633c9d2e4c8f12b"
},
{
"url": "https://git.kernel.org/stable/c/a1ecb30f90856b0be4168ad51b8875148e285c1f"
}
],
"title": "RDMA/core: Don\u0027t expose hw_counters outside of init net namespace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22089",
"datePublished": "2025-04-16T14:12:41.732Z",
"dateReserved": "2024-12-29T08:45:45.817Z",
"dateUpdated": "2026-05-11T21:12:40.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22090 (GCVE-0-2025-22090)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:12
VLAI
EPSS
Title
x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
If track_pfn_copy() fails, we already added the dst VMA to the maple
tree. As fork() fails, we'll cleanup the maple tree, and stumble over
the dst VMA for which we neither performed any reservation nor copied
any page tables.
Consequently untrack_pfn() will see VM_PAT and try obtaining the
PAT information from the page table -- which fails because the page
table was not copied.
The easiest fix would be to simply clear the VM_PAT flag of the dst VMA
if track_pfn_copy() fails. However, the whole thing is about "simply"
clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()
and performed a reservation, but copying the page tables fails, we'll
simply clear the VM_PAT flag, not properly undoing the reservation ...
which is also wrong.
So let's fix it properly: set the VM_PAT flag only if the reservation
succeeded (leaving it clear initially), and undo the reservation if
anything goes wrong while copying the page tables: clearing the VM_PAT
flag after undoing the reservation.
Note that any copied page table entries will get zapped when the VMA will
get removed later, after copy_page_range() succeeded; as VM_PAT is not set
then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be
happy. Note that leaving these page tables in place without a reservation
is not a problem, as we are aborting fork(); this process will never run.
A reproducer can trigger this usually at the first try:
https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c
WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110
Modules linked in: ...
CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:get_pat_info+0xf6/0x110
...
Call Trace:
<TASK>
...
untrack_pfn+0x52/0x110
unmap_single_vma+0xa6/0xe0
unmap_vmas+0x105/0x1f0
exit_mmap+0xf6/0x460
__mmput+0x4b/0x120
copy_process+0x1bf6/0x2aa0
kernel_clone+0xab/0x440
__do_sys_clone+0x66/0x90
do_syscall_64+0x95/0x180
Likely this case was missed in:
d155df53f310 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed")
... and instead of undoing the reservation we simply cleared the VM_PAT flag.
Keep the documentation of these functions in include/linux/pgtable.h,
one place is more than sufficient -- we should clean that up for the other
functions like track_pfn_remap/untrack_pfn separately.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2ab640379a0ab4cef746ced1d7e04a0941774bcb , < a6623712ba8449876f0b3de9462831523fb851e4
(git)
Affected: 2ab640379a0ab4cef746ced1d7e04a0941774bcb , < b07398e8a5da517083f5c3f2daa8f6681b48ab28 (git) Affected: 2ab640379a0ab4cef746ced1d7e04a0941774bcb , < 8d6373f83f367dbed316ddeb178130a3a64b5b67 (git) Affected: 2ab640379a0ab4cef746ced1d7e04a0941774bcb , < da381c33f3aa6406406c9fdf07b8b0b63e0ce722 (git) Affected: 2ab640379a0ab4cef746ced1d7e04a0941774bcb , < de6185b8892d88142ef69768fe4077cbf40109c0 (git) Affected: 2ab640379a0ab4cef746ced1d7e04a0941774bcb , < dc84bc2aba85a1508f04a936f9f9a15f64ebfb31 (git) |
|
| Linux | Linux |
Affected:
2.6.29
Unaffected: 0 , < 2.6.29 (semver) Unaffected: 6.1.160 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/mm/pat/memtype.c",
"include/linux/pgtable.h",
"kernel/fork.c",
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6623712ba8449876f0b3de9462831523fb851e4",
"status": "affected",
"version": "2ab640379a0ab4cef746ced1d7e04a0941774bcb",
"versionType": "git"
},
{
"lessThan": "b07398e8a5da517083f5c3f2daa8f6681b48ab28",
"status": "affected",
"version": "2ab640379a0ab4cef746ced1d7e04a0941774bcb",
"versionType": "git"
},
{
"lessThan": "8d6373f83f367dbed316ddeb178130a3a64b5b67",
"status": "affected",
"version": "2ab640379a0ab4cef746ced1d7e04a0941774bcb",
"versionType": "git"
},
{
"lessThan": "da381c33f3aa6406406c9fdf07b8b0b63e0ce722",
"status": "affected",
"version": "2ab640379a0ab4cef746ced1d7e04a0941774bcb",
"versionType": "git"
},
{
"lessThan": "de6185b8892d88142ef69768fe4077cbf40109c0",
"status": "affected",
"version": "2ab640379a0ab4cef746ced1d7e04a0941774bcb",
"versionType": "git"
},
{
"lessThan": "dc84bc2aba85a1508f04a936f9f9a15f64ebfb31",
"status": "affected",
"version": "2ab640379a0ab4cef746ced1d7e04a0941774bcb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/mm/pat/memtype.c",
"include/linux/pgtable.h",
"kernel/fork.c",
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()\n\nIf track_pfn_copy() fails, we already added the dst VMA to the maple\ntree. As fork() fails, we\u0027ll cleanup the maple tree, and stumble over\nthe dst VMA for which we neither performed any reservation nor copied\nany page tables.\n\nConsequently untrack_pfn() will see VM_PAT and try obtaining the\nPAT information from the page table -- which fails because the page\ntable was not copied.\n\nThe easiest fix would be to simply clear the VM_PAT flag of the dst VMA\nif track_pfn_copy() fails. However, the whole thing is about \"simply\"\nclearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()\nand performed a reservation, but copying the page tables fails, we\u0027ll\nsimply clear the VM_PAT flag, not properly undoing the reservation ...\nwhich is also wrong.\n\nSo let\u0027s fix it properly: set the VM_PAT flag only if the reservation\nsucceeded (leaving it clear initially), and undo the reservation if\nanything goes wrong while copying the page tables: clearing the VM_PAT\nflag after undoing the reservation.\n\nNote that any copied page table entries will get zapped when the VMA will\nget removed later, after copy_page_range() succeeded; as VM_PAT is not set\nthen, we won\u0027t try cleaning VM_PAT up once more and untrack_pfn() will be\nhappy. Note that leaving these page tables in place without a reservation\nis not a problem, as we are aborting fork(); this process will never run.\n\nA reproducer can trigger this usually at the first try:\n\n https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c\n\n WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110\n Modules linked in: ...\n CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n RIP: 0010:get_pat_info+0xf6/0x110\n ...\n Call Trace:\n \u003cTASK\u003e\n ...\n untrack_pfn+0x52/0x110\n unmap_single_vma+0xa6/0xe0\n unmap_vmas+0x105/0x1f0\n exit_mmap+0xf6/0x460\n __mmput+0x4b/0x120\n copy_process+0x1bf6/0x2aa0\n kernel_clone+0xab/0x440\n __do_sys_clone+0x66/0x90\n do_syscall_64+0x95/0x180\n\nLikely this case was missed in:\n\n d155df53f310 (\"x86/mm/pat: clear VM_PAT if copy_p4d_range failed\")\n\n... and instead of undoing the reservation we simply cleared the VM_PAT flag.\n\nKeep the documentation of these functions in include/linux/pgtable.h,\none place is more than sufficient -- we should clean that up for the other\nfunctions like track_pfn_remap/untrack_pfn separately."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:12:41.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6623712ba8449876f0b3de9462831523fb851e4"
},
{
"url": "https://git.kernel.org/stable/c/b07398e8a5da517083f5c3f2daa8f6681b48ab28"
},
{
"url": "https://git.kernel.org/stable/c/8d6373f83f367dbed316ddeb178130a3a64b5b67"
},
{
"url": "https://git.kernel.org/stable/c/da381c33f3aa6406406c9fdf07b8b0b63e0ce722"
},
{
"url": "https://git.kernel.org/stable/c/de6185b8892d88142ef69768fe4077cbf40109c0"
},
{
"url": "https://git.kernel.org/stable/c/dc84bc2aba85a1508f04a936f9f9a15f64ebfb31"
}
],
"title": "x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22090",
"datePublished": "2025-04-16T14:12:42.561Z",
"dateReserved": "2024-12-29T08:45:45.817Z",
"dateUpdated": "2026-05-11T21:12:41.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22095 (GCVE-0-2025-22095)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:12
VLAI
EPSS
Title
PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
If the regulator_bulk_get() returns an error and no regulators
are created, we need to set their number to zero.
If we don't do this and the PCIe link up fails, a call to the
regulator_bulk_free() will result in a kernel panic.
While at it, print the error value, as we cannot return an error
upwards as the kernel will WARN() on an error from add_bus().
[kwilczynski: commit log, use comma in the message to match style with
other similar messages]
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9e6be018b26347c26a93e63fb50a37ee2c9311de , < 99a0efba9f903acbdece548862b6b4cbe7d999e1
(git)
Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < eedd054834930b8d678f0776cd4b091b8fffbb4a (git) Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < df63321a40cc98e52313cffbff376b8ae9ceffa7 (git) Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 7842e842a9bf6bd5866c84f588353711d131ab1a (git) Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 6f44e1fdb006db61394aa4d4c25728ada00842e7 (git) Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 3651ad5249c51cf7eee078e12612557040a6bdb4 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:11.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/pcie-brcmstb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99a0efba9f903acbdece548862b6b4cbe7d999e1",
"status": "affected",
"version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
"versionType": "git"
},
{
"lessThan": "eedd054834930b8d678f0776cd4b091b8fffbb4a",
"status": "affected",
"version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
"versionType": "git"
},
{
"lessThan": "df63321a40cc98e52313cffbff376b8ae9ceffa7",
"status": "affected",
"version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
"versionType": "git"
},
{
"lessThan": "7842e842a9bf6bd5866c84f588353711d131ab1a",
"status": "affected",
"version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
"versionType": "git"
},
{
"lessThan": "6f44e1fdb006db61394aa4d4c25728ada00842e7",
"status": "affected",
"version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
"versionType": "git"
},
{
"lessThan": "3651ad5249c51cf7eee078e12612557040a6bdb4",
"status": "affected",
"version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/pcie-brcmstb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: brcmstb: Fix error path after a call to regulator_bulk_get()\n\nIf the regulator_bulk_get() returns an error and no regulators\nare created, we need to set their number to zero.\n\nIf we don\u0027t do this and the PCIe link up fails, a call to the\nregulator_bulk_free() will result in a kernel panic.\n\nWhile at it, print the error value, as we cannot return an error\nupwards as the kernel will WARN() on an error from add_bus().\n\n[kwilczynski: commit log, use comma in the message to match style with\nother similar messages]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:12:52.237Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99a0efba9f903acbdece548862b6b4cbe7d999e1"
},
{
"url": "https://git.kernel.org/stable/c/eedd054834930b8d678f0776cd4b091b8fffbb4a"
},
{
"url": "https://git.kernel.org/stable/c/df63321a40cc98e52313cffbff376b8ae9ceffa7"
},
{
"url": "https://git.kernel.org/stable/c/7842e842a9bf6bd5866c84f588353711d131ab1a"
},
{
"url": "https://git.kernel.org/stable/c/6f44e1fdb006db61394aa4d4c25728ada00842e7"
},
{
"url": "https://git.kernel.org/stable/c/3651ad5249c51cf7eee078e12612557040a6bdb4"
}
],
"title": "PCI: brcmstb: Fix error path after a call to regulator_bulk_get()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22095",
"datePublished": "2025-04-16T14:12:46.226Z",
"dateReserved": "2024-12-29T08:45:45.818Z",
"dateUpdated": "2026-05-11T21:12:52.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22097 (GCVE-0-2025-22097)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:12
VLAI
EPSS
Title
drm/vkms: Fix use after free and double free on init error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vkms: Fix use after free and double free on init error
If the driver initialization fails, the vkms_exit() function might
access an uninitialized or freed default_config pointer and it might
double free it.
Fix both possible errors by initializing default_config only when the
driver initialization succeeded.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 49a69f67f53518bdd9b7eeebf019a2da6cc0e954
(git)
Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 79d138d137b80eeb0a83244d1cff29e64cf91067 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 561fc0c5cf41f646f3e9e61784cbc0fc832fb936 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < d5eb8e347905ab17788a7903fa1d3d06747355f5 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < b8a18bb53e06d6d3c1fd03d12533d6e333ba8853 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 1f68f1cf09d06061eb549726ff8339e064eddebd (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < ed15511a773df86205bda66c37193569575ae828 (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T14:30:06.841533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T14:36:34.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:13.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vkms/vkms_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49a69f67f53518bdd9b7eeebf019a2da6cc0e954",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "79d138d137b80eeb0a83244d1cff29e64cf91067",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "561fc0c5cf41f646f3e9e61784cbc0fc832fb936",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "d5eb8e347905ab17788a7903fa1d3d06747355f5",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "b8a18bb53e06d6d3c1fd03d12533d6e333ba8853",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "1f68f1cf09d06061eb549726ff8339e064eddebd",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "ed15511a773df86205bda66c37193569575ae828",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vkms/vkms_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix use after free and double free on init error\n\nIf the driver initialization fails, the vkms_exit() function might\naccess an uninitialized or freed default_config pointer and it might\ndouble free it.\n\nFix both possible errors by initializing default_config only when the\ndriver initialization succeeded."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:12:54.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49a69f67f53518bdd9b7eeebf019a2da6cc0e954"
},
{
"url": "https://git.kernel.org/stable/c/79d138d137b80eeb0a83244d1cff29e64cf91067"
},
{
"url": "https://git.kernel.org/stable/c/561fc0c5cf41f646f3e9e61784cbc0fc832fb936"
},
{
"url": "https://git.kernel.org/stable/c/d5eb8e347905ab17788a7903fa1d3d06747355f5"
},
{
"url": "https://git.kernel.org/stable/c/b8a18bb53e06d6d3c1fd03d12533d6e333ba8853"
},
{
"url": "https://git.kernel.org/stable/c/1f68f1cf09d06061eb549726ff8339e064eddebd"
},
{
"url": "https://git.kernel.org/stable/c/ed15511a773df86205bda66c37193569575ae828"
}
],
"title": "drm/vkms: Fix use after free and double free on init error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22097",
"datePublished": "2025-04-16T14:12:47.649Z",
"dateReserved": "2024-12-29T08:45:45.818Z",
"dateUpdated": "2026-05-11T21:12:54.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23136 (GCVE-0-2025-23136)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-11 21:13
VLAI
EPSS
Title
thermal: int340x: Add NULL check for adev
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: int340x: Add NULL check for adev
Not all devices have an ACPI companion fwnode, so adev might be NULL.
This is similar to the commit cd2fd6eab480
("platform/x86: int3472: Check for adev == NULL").
Add a check for adev not being set and return -ENODEV in that case to
avoid a possible NULL pointer deref in int3402_thermal_probe().
Note, under the same directory, int3400_thermal_probe() has such a
check.
[ rjw: Subject edit, added Fixes: ]
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < d0d21c8e44216fa9afdb3809edf213f3c0a8c060
(git)
Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < bc7b5f782d28942dbdfda70df30ce132694a06de (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < 3155d5261b518776d1b807d9d922669991bbee56 (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < 6a810c462f099353e908c70619638884cb82229c (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < ac2eb7378319e3836cdf3a2c15a0bdf04c50e81d (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < 953d28a4f459fcbde2d08f51aeca19d6b0f179f3 (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < 0c49f12c77b77a706fd41370c11910635e491845 (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < 8e8f1ddf4186731649df8bc9646017369eb19186 (git) Affected: 77e337c6e23e3b9d22e09ffec202a80f755a54c2 , < 2542a3f70e563a9e70e7ded314286535a3321bdb (git) |
|
| Linux | Linux |
Affected:
3.18
Unaffected: 0 , < 3.18 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-23136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:03:06.730334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:03:09.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:20.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/int340x_thermal/int3402_thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0d21c8e44216fa9afdb3809edf213f3c0a8c060",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "bc7b5f782d28942dbdfda70df30ce132694a06de",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "3155d5261b518776d1b807d9d922669991bbee56",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "6a810c462f099353e908c70619638884cb82229c",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "ac2eb7378319e3836cdf3a2c15a0bdf04c50e81d",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "953d28a4f459fcbde2d08f51aeca19d6b0f179f3",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "0c49f12c77b77a706fd41370c11910635e491845",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "8e8f1ddf4186731649df8bc9646017369eb19186",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
},
{
"lessThan": "2542a3f70e563a9e70e7ded314286535a3321bdb",
"status": "affected",
"version": "77e337c6e23e3b9d22e09ffec202a80f755a54c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/int340x_thermal/int3402_thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: int340x: Add NULL check for adev\n\nNot all devices have an ACPI companion fwnode, so adev might be NULL.\nThis is similar to the commit cd2fd6eab480\n(\"platform/x86: int3472: Check for adev == NULL\").\n\nAdd a check for adev not being set and return -ENODEV in that case to\navoid a possible NULL pointer deref in int3402_thermal_probe().\n\nNote, under the same directory, int3400_thermal_probe() has such a\ncheck.\n\n[ rjw: Subject edit, added Fixes: ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:13:39.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0d21c8e44216fa9afdb3809edf213f3c0a8c060"
},
{
"url": "https://git.kernel.org/stable/c/bc7b5f782d28942dbdfda70df30ce132694a06de"
},
{
"url": "https://git.kernel.org/stable/c/3155d5261b518776d1b807d9d922669991bbee56"
},
{
"url": "https://git.kernel.org/stable/c/6a810c462f099353e908c70619638884cb82229c"
},
{
"url": "https://git.kernel.org/stable/c/ac2eb7378319e3836cdf3a2c15a0bdf04c50e81d"
},
{
"url": "https://git.kernel.org/stable/c/953d28a4f459fcbde2d08f51aeca19d6b0f179f3"
},
{
"url": "https://git.kernel.org/stable/c/0c49f12c77b77a706fd41370c11910635e491845"
},
{
"url": "https://git.kernel.org/stable/c/8e8f1ddf4186731649df8bc9646017369eb19186"
},
{
"url": "https://git.kernel.org/stable/c/2542a3f70e563a9e70e7ded314286535a3321bdb"
}
],
"title": "thermal: int340x: Add NULL check for adev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23136",
"datePublished": "2025-04-16T14:13:16.439Z",
"dateReserved": "2025-01-11T14:28:41.511Z",
"dateUpdated": "2026-05-11T21:13:39.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23138 (GCVE-0-2025-23138)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-05-23 15:58
VLAI
EPSS
Title
watch_queue: fix pipe accounting mismatch
Summary
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: fix pipe accounting mismatch
Currently, watch_queue_set_size() modifies the pipe buffers charged to
user->pipe_bufs without updating the pipe->nr_accounted on the pipe
itself, due to the if (!pipe_has_watch_queue()) test in
pipe_resize_ring(). This means that when the pipe is ultimately freed,
we decrement user->pipe_bufs by something other than what than we had
charged to it, potentially leading to an underflow. This in turn can
cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.
To remedy this, explicitly account for the pipe usage in
watch_queue_set_size() to match the number set via account_pipe_buffers()
(It's unclear why watch_queue_set_size() does not update nr_accounted;
it may be due to intentional overprovisioning in watch_queue_set_size()?)
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8 , < 8658c75343ed00e5e154ebbe24335f51ba8db547
(git)
Affected: 3efbd114b91525bb095b8ae046382197d92126b9 , < 471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284 (git) Affected: b87a1229d8668fbc78ebd9ca0fc797a76001c60f , < d40e3537265dea9e3c33021874437ff26dc18787 (git) Affected: 68e51bdb1194f11d3452525b99c98aff6f837b24 , < 6dafa27764183738dc5368b669b71e3d0d154f12 (git) Affected: e95aada4cb93d42e25c30a0ef9eb2923d9711d4a , < 56ec918e6c86c1536870e4373e91eddd0c44245f (git) Affected: e95aada4cb93d42e25c30a0ef9eb2923d9711d4a , < 2d680b988656bb556c863d8b46d9b9096842bf3d (git) Affected: e95aada4cb93d42e25c30a0ef9eb2923d9711d4a , < 205028ebba838938d3b264dda1d0708fa7fe1ade (git) Affected: e95aada4cb93d42e25c30a0ef9eb2923d9711d4a , < f13abc1e8e1a3b7455511c4e122750127f6bc9b0 (git) Affected: 6fb70694f8d1ac34e45246b0ac988f025e1e5b55 (git) Affected: 5.10.210 , < 5.10.236 (semver) Affected: 5.15.149 , < 5.15.180 (semver) Affected: 6.1.76 , < 6.1.134 (semver) Affected: 6.6.15 , < 6.6.87 (semver) Affected: 6.7.3 , < 6.8 (semver) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:22.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8658c75343ed00e5e154ebbe24335f51ba8db547",
"status": "affected",
"version": "162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8",
"versionType": "git"
},
{
"lessThan": "471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284",
"status": "affected",
"version": "3efbd114b91525bb095b8ae046382197d92126b9",
"versionType": "git"
},
{
"lessThan": "d40e3537265dea9e3c33021874437ff26dc18787",
"status": "affected",
"version": "b87a1229d8668fbc78ebd9ca0fc797a76001c60f",
"versionType": "git"
},
{
"lessThan": "6dafa27764183738dc5368b669b71e3d0d154f12",
"status": "affected",
"version": "68e51bdb1194f11d3452525b99c98aff6f837b24",
"versionType": "git"
},
{
"lessThan": "56ec918e6c86c1536870e4373e91eddd0c44245f",
"status": "affected",
"version": "e95aada4cb93d42e25c30a0ef9eb2923d9711d4a",
"versionType": "git"
},
{
"lessThan": "2d680b988656bb556c863d8b46d9b9096842bf3d",
"status": "affected",
"version": "e95aada4cb93d42e25c30a0ef9eb2923d9711d4a",
"versionType": "git"
},
{
"lessThan": "205028ebba838938d3b264dda1d0708fa7fe1ade",
"status": "affected",
"version": "e95aada4cb93d42e25c30a0ef9eb2923d9711d4a",
"versionType": "git"
},
{
"lessThan": "f13abc1e8e1a3b7455511c4e122750127f6bc9b0",
"status": "affected",
"version": "e95aada4cb93d42e25c30a0ef9eb2923d9711d4a",
"versionType": "git"
},
{
"status": "affected",
"version": "6fb70694f8d1ac34e45246b0ac988f025e1e5b55",
"versionType": "git"
},
{
"lessThan": "5.10.236",
"status": "affected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThan": "5.15.180",
"status": "affected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThan": "6.1.134",
"status": "affected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThan": "6.6.87",
"status": "affected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThan": "6.8",
"status": "affected",
"version": "6.7.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/watch_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "6.1.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "6.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: fix pipe accounting mismatch\n\nCurrently, watch_queue_set_size() modifies the pipe buffers charged to\nuser-\u003epipe_bufs without updating the pipe-\u003enr_accounted on the pipe\nitself, due to the if (!pipe_has_watch_queue()) test in\npipe_resize_ring(). This means that when the pipe is ultimately freed,\nwe decrement user-\u003epipe_bufs by something other than what than we had\ncharged to it, potentially leading to an underflow. This in turn can\ncause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.\n\nTo remedy this, explicitly account for the pipe usage in\nwatch_queue_set_size() to match the number set via account_pipe_buffers()\n\n(It\u0027s unclear why watch_queue_set_size() does not update nr_accounted;\nit may be due to intentional overprovisioning in watch_queue_set_size()?)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:00.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547"
},
{
"url": "https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284"
},
{
"url": "https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787"
},
{
"url": "https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12"
},
{
"url": "https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f"
},
{
"url": "https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d"
},
{
"url": "https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade"
},
{
"url": "https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0"
}
],
"title": "watch_queue: fix pipe accounting mismatch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-23138",
"datePublished": "2025-04-16T14:13:17.866Z",
"dateReserved": "2025-01-11T14:28:41.511Z",
"dateUpdated": "2026-05-23T15:58:00.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37785 (GCVE-0-2025-37785)
Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-11 21:15
VLAI
EPSS
Title
ext4: fix OOB read when checking dotdot dir
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix OOB read when checking dotdot dir
Mounting a corrupted filesystem with directory which contains '.' dir
entry with rec_len == block size results in out-of-bounds read (later
on, when the corrupted directory is removed).
ext4_empty_dir() assumes every ext4 directory contains at least '.'
and '..' as directory entries in the first data block. It first loads
the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
and then uses its rec_len member to compute the location of '..' dir
entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
same data block.
If the rec_len of '.' is precisely one block (4KB), it slips through the
sanity checks (it is considered the last directory entry in the data
block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
memory slot allocated to the data block. The following call to
ext4_check_dir_entry() on new value of de then dereferences this pointer
which results in out-of-bounds mem access.
Fix this by extending __ext4_check_dir_entry() to check for '.' dir
entries that reach the end of data block. Make sure to ignore the phony
dir entries for checksum (by checking name_len for non-zero).
Note: This is reported by KASAN as use-after-free in case another
structure was recently freed from the slot past the bound, but it is
really an OOB read.
This issue was found by syzkaller tool.
Call Trace:
[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
[ 38.595158]
[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 38.595304] Call Trace:
[ 38.595308] <TASK>
[ 38.595311] dump_stack_lvl+0xa7/0xd0
[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595349] print_report+0xaa/0x250
[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
[ 38.595378] kasan_report+0xab/0xe0
[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
[ 38.595410] ext4_empty_dir+0x465/0x990
[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
[ 38.595478] ? down_write+0xdb/0x140
[ 38.595487] ? __pfx_down_write+0x10/0x10
[ 38.595497] ext4_rmdir+0xee/0x140
[ 38.595506] vfs_rmdir+0x209/0x670
[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
[ 38.595529] do_rmdir+0x363/0x3c0
[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
[ 38.595570] do_syscall_64+0x5b/0x180
[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity
No CVSS data available.
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 14da7dbecb430e35b5889da8dae7bef33173b351
(git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < e47f472a664d70a3d104a6c2a035cdff55a719b4 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < b7531a4f99c3887439d778afaf418d1a01a5f01b (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 89503e5eae64637d0fa2218912b54660effe7d93 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 52a5509ab19a5d3afe301165d9b5787bba34d842 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < b47584c556444cf7acb66b26a62cbc348eb92b78 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < ac28c5684c1cdab650a7e5065b19e91577d37a4b (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 53bc45da8d8da92ec07877f5922b130562eb4b00 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < d5e206778e96e8667d3bde695ad372c296dc9353 (git) |
|
| Linux | Linux |
Affected:
2.6.19
Unaffected: 0 , < 2.6.19 (semver) Unaffected: 5.4.293 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:55:07.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14da7dbecb430e35b5889da8dae7bef33173b351",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "e47f472a664d70a3d104a6c2a035cdff55a719b4",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "b7531a4f99c3887439d778afaf418d1a01a5f01b",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "89503e5eae64637d0fa2218912b54660effe7d93",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "52a5509ab19a5d3afe301165d9b5787bba34d842",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "b47584c556444cf7acb66b26a62cbc348eb92b78",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "ac28c5684c1cdab650a7e5065b19e91577d37a4b",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "53bc45da8d8da92ec07877f5922b130562eb4b00",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "d5e206778e96e8667d3bde695ad372c296dc9353",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains \u0027.\u0027 dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least \u0027.\u0027\nand \u0027..\u0027 as directory entries in the first data block. It first loads\nthe \u0027.\u0027 dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of \u0027..\u0027 dir\nentry (in ext4_next_entry). It assumes the \u0027..\u0027 dir entry fits into the\nsame data block.\n\nIf the rec_len of \u0027.\u0027 is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for \u0027.\u0027 dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[ 38.595158]\n[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 38.595304] Call Trace:\n[ 38.595308] \u003cTASK\u003e\n[ 38.595311] dump_stack_lvl+0xa7/0xd0\n[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0\n[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595349] print_report+0xaa/0x250\n[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595368] ? kasan_addr_to_slab+0x9/0x90\n[ 38.595378] kasan_report+0xab/0xe0\n[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595400] __ext4_check_dir_entry+0x67e/0x710\n[ 38.595410] ext4_empty_dir+0x465/0x990\n[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10\n[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10\n[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0\n[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10\n[ 38.595478] ? down_write+0xdb/0x140\n[ 38.595487] ? __pfx_down_write+0x10/0x10\n[ 38.595497] ext4_rmdir+0xee/0x140\n[ 38.595506] vfs_rmdir+0x209/0x670\n[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190\n[ 38.595529] do_rmdir+0x363/0x3c0\n[ 38.595537] ? __pfx_do_rmdir+0x10/0x10\n[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0\n[ 38.595561] __x64_sys_unlinkat+0xf0/0x130\n[ 38.595570] do_syscall_64+0x5b/0x180\n[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:15:07.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14da7dbecb430e35b5889da8dae7bef33173b351"
},
{
"url": "https://git.kernel.org/stable/c/e47f472a664d70a3d104a6c2a035cdff55a719b4"
},
{
"url": "https://git.kernel.org/stable/c/b7531a4f99c3887439d778afaf418d1a01a5f01b"
},
{
"url": "https://git.kernel.org/stable/c/89503e5eae64637d0fa2218912b54660effe7d93"
},
{
"url": "https://git.kernel.org/stable/c/52a5509ab19a5d3afe301165d9b5787bba34d842"
},
{
"url": "https://git.kernel.org/stable/c/b47584c556444cf7acb66b26a62cbc348eb92b78"
},
{
"url": "https://git.kernel.org/stable/c/ac28c5684c1cdab650a7e5065b19e91577d37a4b"
},
{
"url": "https://git.kernel.org/stable/c/53bc45da8d8da92ec07877f5922b130562eb4b00"
},
{
"url": "https://git.kernel.org/stable/c/d5e206778e96e8667d3bde695ad372c296dc9353"
}
],
"title": "ext4: fix OOB read when checking dotdot dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37785",
"datePublished": "2025-04-18T07:01:27.393Z",
"dateReserved": "2025-04-16T04:51:23.940Z",
"dateUpdated": "2026-05-11T21:15:07.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37838 (GCVE-0-2025-37838)
Vulnerability from cvelistv5 – Published: 2025-04-18 14:20 – Updated: 2026-05-11 21:16
VLAI
EPSS
Title
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
df26d639e2f4628732a8da5a0f71e4e652ce809b , < d03abc1c2b21324550fa71e12d53e7d3498e0af6
(git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 72972552d0d0bfeb2dec5daf343a19018db36ffa (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < d58493832e284f066e559b8da5ab20c15a2801d3 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 58eb29dba712ab0f13af59ca2fe545f5ce360e78 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < ae5a6a0b425e8f76a9f0677e50796e494e89b088 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 834e602d0cc7c743bfce734fad4a46cefc0f9ab1 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < e3f88665a78045fe35c7669d2926b8d97b892c11 (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.293 , ≤ 5.4.* (semver) Unaffected: 5.10.237 , ≤ 5.10.* (semver) Unaffected: 5.15.181 , ≤ 5.15.* (semver) Unaffected: 6.1.135 , ≤ 6.1.* (semver) Unaffected: 6.6.88 , ≤ 6.6.* (semver) Unaffected: 6.12.24 , ≤ 6.12.* (semver) Unaffected: 6.13.12 , ≤ 6.13.* (semver) Unaffected: 6.14.3 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-37838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T14:38:43.871416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T14:41:43.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:56:09.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hsi/clients/ssi_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d03abc1c2b21324550fa71e12d53e7d3498e0af6",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "72972552d0d0bfeb2dec5daf343a19018db36ffa",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "d58493832e284f066e559b8da5ab20c15a2801d3",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "58eb29dba712ab0f13af59ca2fe545f5ce360e78",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "ae5a6a0b425e8f76a9f0677e50796e494e89b088",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "834e602d0cc7c743bfce734fad4a46cefc0f9ab1",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "e3f88665a78045fe35c7669d2926b8d97b892c11",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hsi/clients/ssi_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, \u0026ssi-\u003ework is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n | struct hsi_client *cl = ssi-\u003ecl;\n | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:16:05.252Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"
},
{
"url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"
},
{
"url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"
},
{
"url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"
},
{
"url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"
},
{
"url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"
},
{
"url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"
},
{
"url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"
},
{
"url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"
}
],
"title": "HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37838",
"datePublished": "2025-04-18T14:20:55.389Z",
"dateReserved": "2025-04-16T04:51:23.952Z",
"dateUpdated": "2026-05-11T21:16:05.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37937 (GCVE-0-2025-37937)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:34 – Updated: 2026-05-11 21:17
VLAI
EPSS
Title
objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
Summary
In the Linux kernel, the following vulnerability has been resolved:
objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result
is a divide-by-zero. Prevent that from happening.
Fixes the following warning with an UBSAN kernel:
drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
173a64cb3fcff1993b2aa8113e53fd379f6a968f , < 536f7f3595ef8187cfa9ea50d7d24fcf4e84e166
(git)
Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < 976a85782246a29ba0f6d411a7a4f524cb9ea987 (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < 9b76b198cf209797abcb1314c18ddeb90fe0827b (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < b9249da6b0ed56269d4f21850df8e5b35dab50bd (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < 75b42dfe87657ede3da3f279bd6b1b16d69af954 (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < cd80277f652138d2619f149f86ae6d17bce721d1 (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < c8430e72b99936c206b37a8e2daebb3f8df7f2d8 (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < 6cfe46036b163e5a0f07c6b705b518148e1a8b2f (git) Affected: 173a64cb3fcff1993b2aa8113e53fd379f6a968f , < e63d465f59011dede0a0f1d21718b59a64c3ff5c (git) |
|
| Linux | Linux |
Affected:
3.10
Unaffected: 0 , < 3.10 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:33.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib8000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "536f7f3595ef8187cfa9ea50d7d24fcf4e84e166",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "976a85782246a29ba0f6d411a7a4f524cb9ea987",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "9b76b198cf209797abcb1314c18ddeb90fe0827b",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "b9249da6b0ed56269d4f21850df8e5b35dab50bd",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "75b42dfe87657ede3da3f279bd6b1b16d69af954",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "cd80277f652138d2619f149f86ae6d17bce721d1",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "c8430e72b99936c206b37a8e2daebb3f8df7f2d8",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "6cfe46036b163e5a0f07c6b705b518148e1a8b2f",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
},
{
"lessThan": "e63d465f59011dede0a0f1d21718b59a64c3ff5c",
"status": "affected",
"version": "173a64cb3fcff1993b2aa8113e53fd379f6a968f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/dib8000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()\n\nIf dib8000_set_dds()\u0027s call to dib8000_read32() returns zero, the result\nis a divide-by-zero. Prevent that from happening.\n\nFixes the following warning with an UBSAN kernel:\n\n drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:59.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/536f7f3595ef8187cfa9ea50d7d24fcf4e84e166"
},
{
"url": "https://git.kernel.org/stable/c/976a85782246a29ba0f6d411a7a4f524cb9ea987"
},
{
"url": "https://git.kernel.org/stable/c/9b76b198cf209797abcb1314c18ddeb90fe0827b"
},
{
"url": "https://git.kernel.org/stable/c/b9249da6b0ed56269d4f21850df8e5b35dab50bd"
},
{
"url": "https://git.kernel.org/stable/c/75b42dfe87657ede3da3f279bd6b1b16d69af954"
},
{
"url": "https://git.kernel.org/stable/c/cd80277f652138d2619f149f86ae6d17bce721d1"
},
{
"url": "https://git.kernel.org/stable/c/c8430e72b99936c206b37a8e2daebb3f8df7f2d8"
},
{
"url": "https://git.kernel.org/stable/c/6cfe46036b163e5a0f07c6b705b518148e1a8b2f"
},
{
"url": "https://git.kernel.org/stable/c/e63d465f59011dede0a0f1d21718b59a64c3ff5c"
}
],
"title": "objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37937",
"datePublished": "2025-05-20T15:34:39.322Z",
"dateReserved": "2025-04-16T04:51:23.971Z",
"dateUpdated": "2026-05-11T21:17:59.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…