Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1031
Vulnerability from certfr_avis - Published: 2025-11-21 - Updated: 2025-11-21
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, un contournement de la politique de sécurité et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 16.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 24.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 14.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 22.04 LTS",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-52664",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52664"
},
{
"name": "CVE-2023-52477",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52477"
},
{
"name": "CVE-2023-52854",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52854"
},
{
"name": "CVE-2024-56664",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56664"
},
{
"name": "CVE-2025-21796",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21796"
},
{
"name": "CVE-2024-50202",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50202"
},
{
"name": "CVE-2024-35849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35849"
},
{
"name": "CVE-2025-21727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21727"
},
{
"name": "CVE-2024-41006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41006"
},
{
"name": "CVE-2024-35867",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35867"
},
{
"name": "CVE-2024-53150",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53150"
},
{
"name": "CVE-2024-50051",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50051"
},
{
"name": "CVE-2024-53171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53171"
},
{
"name": "CVE-2024-53124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53124"
},
{
"name": "CVE-2023-52650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52650"
},
{
"name": "CVE-2024-57996",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57996"
},
{
"name": "CVE-2025-37785",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37785"
},
{
"name": "CVE-2024-50006",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50006"
},
{
"name": "CVE-2024-53131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53131"
},
{
"name": "CVE-2025-38118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38118"
},
{
"name": "CVE-2024-49924",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49924"
},
{
"name": "CVE-2024-53217",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53217"
},
{
"name": "CVE-2024-53130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53130"
},
{
"name": "CVE-2023-52574",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52574"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2024-47685",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47685"
},
{
"name": "CVE-2025-40300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40300"
},
{
"name": "CVE-2024-50061",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50061"
},
{
"name": "CVE-2025-37752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37752"
},
{
"name": "CVE-2025-38477",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38477"
},
{
"name": "CVE-2024-56767",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56767"
},
{
"name": "CVE-2025-37838",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37838"
},
{
"name": "CVE-2025-38352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38352"
},
{
"name": "CVE-2024-27074",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27074"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2025-38350",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38350"
},
{
"name": "CVE-2024-50299",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50299"
}
],
"initial_release_date": "2025-11-21T00:00:00",
"last_revision_date": "2025-11-21T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1031",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-21T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un contournement de la politique de s\u00e9curit\u00e9 et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2025-11-17",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu LSN-0116-1",
"url": "https://ubuntu.com/security/notices/LSN-0116-1"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7874-1",
"url": "https://ubuntu.com/security/notices/USN-7874-1"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7861-4",
"url": "https://ubuntu.com/security/notices/USN-7861-4"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7875-1",
"url": "https://ubuntu.com/security/notices/USN-7875-1"
},
{
"published_at": "2025-11-19",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7874-2",
"url": "https://ubuntu.com/security/notices/USN-7874-2"
}
]
}
CVE-2024-53171 (GCVE-0-2024-53171)
Vulnerability from cvelistv5 – Published: 2024-12-27 13:49 – Updated: 2026-05-11 20:52
VLAI
EPSS
Title
ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
After an insertion in TNC, the tree might split and cause a node to
change its `znode->parent`. A further deletion of other nodes in the
tree (which also could free the nodes), the aforementioned node's
`znode->cparent` could still point to a freed node. This
`znode->cparent` may not be updated when getting nodes to commit in
`ubifs_tnc_start_commit()`. This could then trigger a use-after-free
when accessing the `znode->cparent` in `write_index()` in
`ubifs_tnc_end_commit()`.
This can be triggered by running
rm -f /etc/test-file.bin
dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync
in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then
reports:
BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950
Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153
Call trace:
dump_backtrace+0x0/0x340
show_stack+0x18/0x24
dump_stack_lvl+0x9c/0xbc
print_address_description.constprop.0+0x74/0x2b0
kasan_report+0x1d8/0x1f0
kasan_check_range+0xf8/0x1a0
memcpy+0x84/0xf4
ubifs_tnc_end_commit+0xa5c/0x1950
do_commit+0x4e0/0x1340
ubifs_bg_thread+0x234/0x2e0
kthread+0x36c/0x410
ret_from_fork+0x10/0x20
Allocated by task 401:
kasan_save_stack+0x38/0x70
__kasan_kmalloc+0x8c/0xd0
__kmalloc+0x34c/0x5bc
tnc_insert+0x140/0x16a4
ubifs_tnc_add+0x370/0x52c
ubifs_jnl_write_data+0x5d8/0x870
do_writepage+0x36c/0x510
ubifs_writepage+0x190/0x4dc
__writepage+0x58/0x154
write_cache_pages+0x394/0x830
do_writepages+0x1f0/0x5b0
filemap_fdatawrite_wbc+0x170/0x25c
file_write_and_wait_range+0x140/0x190
ubifs_fsync+0xe8/0x290
vfs_fsync_range+0xc0/0x1e4
do_fsync+0x40/0x90
__arm64_sys_fsync+0x34/0x50
invoke_syscall.constprop.0+0xa8/0x260
do_el0_svc+0xc8/0x1f0
el0_svc+0x34/0x70
el0t_64_sync_handler+0x108/0x114
el0t_64_sync+0x1a4/0x1a8
Freed by task 403:
kasan_save_stack+0x38/0x70
kasan_set_track+0x28/0x40
kasan_set_free_info+0x28/0x4c
__kasan_slab_free+0xd4/0x13c
kfree+0xc4/0x3a0
tnc_delete+0x3f4/0xe40
ubifs_tnc_remove_range+0x368/0x73c
ubifs_tnc_remove_ino+0x29c/0x2e0
ubifs_jnl_delete_inode+0x150/0x260
ubifs_evict_inode+0x1d4/0x2e4
evict+0x1c8/0x450
iput+0x2a0/0x3c4
do_unlinkat+0x2cc/0x490
__arm64_sys_unlinkat+0x90/0x100
invoke_syscall.constprop.0+0xa8/0x260
do_el0_svc+0xc8/0x1f0
el0_svc+0x34/0x70
el0t_64_sync_handler+0x108/0x114
el0t_64_sync+0x1a4/0x1a8
The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free
when a node becomes root in TNC but still has a `cparent` to an already
freed node. More specifically, consider the following TNC:
zroot
/
/
zp1
/
/
zn
Inserting a new node `zn_new` with a key smaller then `zn` will trigger
a split in `tnc_insert()` if `zp1` is full:
zroot
/ \
/ \
zp1 zp2
/ \
/ \
zn_new zn
`zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still
points to `zp1`.
Now, consider a removal of all the nodes _except_ `zn`. Just when
`tnc_delete()` is about to delete `zroot` and `zp2`:
zroot
\
\
zp2
\
\
zn
`zroot` and `zp2` get freed and the tree collapses:
zn
`zn` now becomes the new `zroot`.
`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and
`write_index()` will check its `znode->cparent` that wrongly points to
the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called
with `znode->cparent->zbranch[znode->iip].hash` that triggers the
use-after-free!
Fix this by explicitly setting `znode->cparent` to `NULL` in
`get_znodes_to_commit()` for the root node. The search for the dirty
nodes
---truncated---
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
16a26b20d2afd0cf063816725b45b12e78d5bb31 , < daac4aa1825de0dbc1a6eede2fa7f9fc53f14223
(git)
Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb (git) Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 4d9807048b851d7a58d5bd089c16254af896e4df (git) Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 74981f7577d183acad1cd58f74c10d263711a215 (git) Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 01d3a2293d7e4edfff96618c15727db7e51f11b6 (git) Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 398a91599d263e41c5f95a2fd4ebdb6280b5c6c3 (git) Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 2497479aecebe869d23a0064e0fd1a03e34f0e2a (git) Affected: 16a26b20d2afd0cf063816725b45b12e78d5bb31 , < 4617fb8fc15effe8eda4dd898d4e33eb537a7140 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.4.287 , ≤ 5.4.* (semver) Unaffected: 5.10.231 , ≤ 5.10.* (semver) Unaffected: 5.15.174 , ≤ 5.15.* (semver) Unaffected: 6.1.120 , ≤ 6.1.* (semver) Unaffected: 6.6.64 , ≤ 6.6.* (semver) Unaffected: 6.11.11 , ≤ 6.11.* (semver) Unaffected: 6.12.2 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:43:44.944550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:45:27.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:47:01.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/tnc_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "daac4aa1825de0dbc1a6eede2fa7f9fc53f14223",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "4d9807048b851d7a58d5bd089c16254af896e4df",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "74981f7577d183acad1cd58f74c10d263711a215",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "01d3a2293d7e4edfff96618c15727db7e51f11b6",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "398a91599d263e41c5f95a2fd4ebdb6280b5c6c3",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "2497479aecebe869d23a0064e0fd1a03e34f0e2a",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
},
{
"lessThan": "4617fb8fc15effe8eda4dd898d4e33eb537a7140",
"status": "affected",
"version": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/tnc_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit\n\nAfter an insertion in TNC, the tree might split and cause a node to\nchange its `znode-\u003eparent`. A further deletion of other nodes in the\ntree (which also could free the nodes), the aforementioned node\u0027s\n`znode-\u003ecparent` could still point to a freed node. This\n`znode-\u003ecparent` may not be updated when getting nodes to commit in\n`ubifs_tnc_start_commit()`. This could then trigger a use-after-free\nwhen accessing the `znode-\u003ecparent` in `write_index()` in\n`ubifs_tnc_end_commit()`.\n\nThis can be triggered by running\n\n rm -f /etc/test-file.bin\n dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync\n\nin a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then\nreports:\n\n BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950\n Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153\n\n Call trace:\n dump_backtrace+0x0/0x340\n show_stack+0x18/0x24\n dump_stack_lvl+0x9c/0xbc\n print_address_description.constprop.0+0x74/0x2b0\n kasan_report+0x1d8/0x1f0\n kasan_check_range+0xf8/0x1a0\n memcpy+0x84/0xf4\n ubifs_tnc_end_commit+0xa5c/0x1950\n do_commit+0x4e0/0x1340\n ubifs_bg_thread+0x234/0x2e0\n kthread+0x36c/0x410\n ret_from_fork+0x10/0x20\n\n Allocated by task 401:\n kasan_save_stack+0x38/0x70\n __kasan_kmalloc+0x8c/0xd0\n __kmalloc+0x34c/0x5bc\n tnc_insert+0x140/0x16a4\n ubifs_tnc_add+0x370/0x52c\n ubifs_jnl_write_data+0x5d8/0x870\n do_writepage+0x36c/0x510\n ubifs_writepage+0x190/0x4dc\n __writepage+0x58/0x154\n write_cache_pages+0x394/0x830\n do_writepages+0x1f0/0x5b0\n filemap_fdatawrite_wbc+0x170/0x25c\n file_write_and_wait_range+0x140/0x190\n ubifs_fsync+0xe8/0x290\n vfs_fsync_range+0xc0/0x1e4\n do_fsync+0x40/0x90\n __arm64_sys_fsync+0x34/0x50\n invoke_syscall.constprop.0+0xa8/0x260\n do_el0_svc+0xc8/0x1f0\n el0_svc+0x34/0x70\n el0t_64_sync_handler+0x108/0x114\n el0t_64_sync+0x1a4/0x1a8\n\n Freed by task 403:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x28/0x40\n kasan_set_free_info+0x28/0x4c\n __kasan_slab_free+0xd4/0x13c\n kfree+0xc4/0x3a0\n tnc_delete+0x3f4/0xe40\n ubifs_tnc_remove_range+0x368/0x73c\n ubifs_tnc_remove_ino+0x29c/0x2e0\n ubifs_jnl_delete_inode+0x150/0x260\n ubifs_evict_inode+0x1d4/0x2e4\n evict+0x1c8/0x450\n iput+0x2a0/0x3c4\n do_unlinkat+0x2cc/0x490\n __arm64_sys_unlinkat+0x90/0x100\n invoke_syscall.constprop.0+0xa8/0x260\n do_el0_svc+0xc8/0x1f0\n el0_svc+0x34/0x70\n el0t_64_sync_handler+0x108/0x114\n el0t_64_sync+0x1a4/0x1a8\n\nThe offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free\nwhen a node becomes root in TNC but still has a `cparent` to an already\nfreed node. More specifically, consider the following TNC:\n\n zroot\n /\n /\n zp1\n /\n /\n zn\n\nInserting a new node `zn_new` with a key smaller then `zn` will trigger\na split in `tnc_insert()` if `zp1` is full:\n\n zroot\n / \\\n / \\\n zp1 zp2\n / \\\n / \\\n zn_new zn\n\n`zn-\u003eparent` has now been moved to `zp2`, *but* `zn-\u003ecparent` still\npoints to `zp1`.\n\nNow, consider a removal of all the nodes _except_ `zn`. Just when\n`tnc_delete()` is about to delete `zroot` and `zp2`:\n\n zroot\n \\\n \\\n zp2\n \\\n \\\n zn\n\n`zroot` and `zp2` get freed and the tree collapses:\n\n zn\n\n`zn` now becomes the new `zroot`.\n\n`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and\n`write_index()` will check its `znode-\u003ecparent` that wrongly points to\nthe already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called\nwith `znode-\u003ecparent-\u003ezbranch[znode-\u003eiip].hash` that triggers the\nuse-after-free!\n\nFix this by explicitly setting `znode-\u003ecparent` to `NULL` in\n`get_znodes_to_commit()` for the root node. The search for the dirty\nnodes\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:52:12.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/daac4aa1825de0dbc1a6eede2fa7f9fc53f14223"
},
{
"url": "https://git.kernel.org/stable/c/8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb"
},
{
"url": "https://git.kernel.org/stable/c/4d9807048b851d7a58d5bd089c16254af896e4df"
},
{
"url": "https://git.kernel.org/stable/c/74981f7577d183acad1cd58f74c10d263711a215"
},
{
"url": "https://git.kernel.org/stable/c/01d3a2293d7e4edfff96618c15727db7e51f11b6"
},
{
"url": "https://git.kernel.org/stable/c/398a91599d263e41c5f95a2fd4ebdb6280b5c6c3"
},
{
"url": "https://git.kernel.org/stable/c/2497479aecebe869d23a0064e0fd1a03e34f0e2a"
},
{
"url": "https://git.kernel.org/stable/c/4617fb8fc15effe8eda4dd898d4e33eb537a7140"
}
],
"title": "ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53171",
"datePublished": "2024-12-27T13:49:16.423Z",
"dateReserved": "2024-11-19T17:17:25.006Z",
"dateUpdated": "2026-05-11T20:52:12.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53217 (GCVE-0-2024-53217)
Vulnerability from cvelistv5 – Published: 2024-12-27 13:50 – Updated: 2026-05-11 20:53
VLAI
EPSS
Title
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Prevent NULL dereference in nfsd4_process_cb_update()
@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no
available backchannel session, setup_callback_client() will try to
dereference @ses and segfault.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < d9a0d1f6e15859ea7a86a327f28491e23deaaa62
(git)
Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < cac1405e3ff6685a438e910ad719e0cf06af90ee (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < 752a75811f27300fe8131b0a1efc91960f6f88e7 (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < c5d90f9302742985a5078e42ac38de42c364c44a (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < 0c3b0e326f838787d229314d4de83af9c53347e8 (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < eb51733ae5fc73d95bd857d5da26f9f65b202a79 (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < 03178cd8f67227015debb700123987fe96275cd1 (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < 4a4ffc1aa9d618e41ad9151f40966e402e58a5a2 (git) Affected: dcbeaa68dbbdacbbb330a86c7fc95a28473fc209 , < 1e02c641c3a43c88cecc08402000418e15578d38 (git) |
|
| Linux | Linux |
Affected:
2.6.38
Unaffected: 0 , < 2.6.38 (semver) Unaffected: 4.19.325 , ≤ 4.19.* (semver) Unaffected: 5.4.287 , ≤ 5.4.* (semver) Unaffected: 5.10.231 , ≤ 5.10.* (semver) Unaffected: 5.15.174 , ≤ 5.15.* (semver) Unaffected: 6.1.120 , ≤ 6.1.* (semver) Unaffected: 6.6.64 , ≤ 6.6.* (semver) Unaffected: 6.11.11 , ≤ 6.11.* (semver) Unaffected: 6.12.2 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:03:26.697178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:07:19.173Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:47:47.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4callback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9a0d1f6e15859ea7a86a327f28491e23deaaa62",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "cac1405e3ff6685a438e910ad719e0cf06af90ee",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "752a75811f27300fe8131b0a1efc91960f6f88e7",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "c5d90f9302742985a5078e42ac38de42c364c44a",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "0c3b0e326f838787d229314d4de83af9c53347e8",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "eb51733ae5fc73d95bd857d5da26f9f65b202a79",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "03178cd8f67227015debb700123987fe96275cd1",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "4a4ffc1aa9d618e41ad9151f40966e402e58a5a2",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
},
{
"lessThan": "1e02c641c3a43c88cecc08402000418e15578d38",
"status": "affected",
"version": "dcbeaa68dbbdacbbb330a86c7fc95a28473fc209",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4callback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.325",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.11",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.2",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Prevent NULL dereference in nfsd4_process_cb_update()\n\n@ses is initialized to NULL. If __nfsd4_find_backchannel() finds no\navailable backchannel session, setup_callback_client() will try to\ndereference @ses and segfault."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:53:06.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9a0d1f6e15859ea7a86a327f28491e23deaaa62"
},
{
"url": "https://git.kernel.org/stable/c/cac1405e3ff6685a438e910ad719e0cf06af90ee"
},
{
"url": "https://git.kernel.org/stable/c/752a75811f27300fe8131b0a1efc91960f6f88e7"
},
{
"url": "https://git.kernel.org/stable/c/c5d90f9302742985a5078e42ac38de42c364c44a"
},
{
"url": "https://git.kernel.org/stable/c/0c3b0e326f838787d229314d4de83af9c53347e8"
},
{
"url": "https://git.kernel.org/stable/c/eb51733ae5fc73d95bd857d5da26f9f65b202a79"
},
{
"url": "https://git.kernel.org/stable/c/03178cd8f67227015debb700123987fe96275cd1"
},
{
"url": "https://git.kernel.org/stable/c/4a4ffc1aa9d618e41ad9151f40966e402e58a5a2"
},
{
"url": "https://git.kernel.org/stable/c/1e02c641c3a43c88cecc08402000418e15578d38"
}
],
"title": "NFSD: Prevent NULL dereference in nfsd4_process_cb_update()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53217",
"datePublished": "2024-12-27T13:50:02.727Z",
"dateReserved": "2024-11-19T17:17:25.024Z",
"dateUpdated": "2026-05-11T20:53:06.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56664 (GCVE-0-2024-56664)
Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2026-05-11 20:56
VLAI
EPSS
Title
bpf, sockmap: Fix race between element replace and close()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix race between element replace and close()
Element replace (with a socket different from the one stored) may race
with socket's close() link popping & unlinking. __sock_map_delete()
unconditionally unrefs the (wrong) element:
// set map[0] = s0
map_update_elem(map, 0, s0)
// drop fd of s0
close(s0)
sock_map_close()
lock_sock(sk) (s0!)
sock_map_remove_links(sk)
link = sk_psock_link_pop()
sock_map_unlink(sk, link)
sock_map_delete_from_link
// replace map[0] with s1
map_update_elem(map, 0, s1)
sock_map_update_elem
(s1!) lock_sock(sk)
sock_map_update_common
psock = sk_psock(sk)
spin_lock(&stab->lock)
osk = stab->sks[idx]
sock_map_add_link(..., &stab->sks[idx])
sock_map_unref(osk, &stab->sks[idx])
psock = sk_psock(osk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test(&psock))
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
unlock_sock(sk)
__sock_map_delete
spin_lock(&stab->lock)
sk = *psk // s1 replaced s0; sk == s1
if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch
sk = xchg(psk, NULL)
if (sk)
sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle
psock = sk_psock(sk)
sk_psock_put(sk, psock)
if (refcount_dec_and_test())
sk_psock_drop(sk, psock)
spin_unlock(&stab->lock)
release_sock(sk)
Then close(map) enqueues bpf_map_free_deferred, which finally calls
sock_map_free(). This results in some refcount_t warnings along with
a KASAN splat [1].
Fix __sock_map_delete(), do not allow sock_map_unref() on elements that
may have been replaced.
[1]:
BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330
Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063
CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
Workqueue: events_unbound bpf_map_free_deferred
Call Trace:
<TASK>
dump_stack_lvl+0x68/0x90
print_report+0x174/0x4f6
kasan_report+0xb9/0x190
kasan_check_range+0x10f/0x1e0
sock_map_free+0x10e/0x330
bpf_map_free_deferred+0x173/0x320
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1202:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x85/0x90
kmem_cache_alloc_noprof+0x131/0x450
sk_prot_alloc+0x5b/0x220
sk_alloc+0x2c/0x870
unix_create1+0x88/0x8a0
unix_create+0xc5/0x180
__sock_create+0x241/0x650
__sys_socketpair+0x1ce/0x420
__x64_sys_socketpair+0x92/0x100
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 46:
kasan_save_stack+0x1e/0x40
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kmem_cache_free+0x1a1/0x590
__sk_destruct+0x388/0x5a0
sk_psock_destroy+0x73e/0xa50
process_one_work+0x846/0x1420
worker_thread+0x5b3/0xf80
kthread+0x29e/0x360
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x1a/0x30
The bu
---truncated---
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
604326b41a6fb9b4a78b6179335decee0365cd8c , < 6deb9e85dc9a2ba4414b91c1b5b00b8415910890
(git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < fdb2cd8957ac51f84c9e742ba866087944bb834b (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < b79a0d1e9a374d1b376933a354c4fcd01fce0365 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < b015f19fedd2e12283a8450dd0aefce49ec57015 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < bf2318e288f636a882eea39f7e1015623629f168 (git) Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < ed1fc5d76b81a4d681211333c026202cad4d5649 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.125 , ≤ 6.1.* (semver) Unaffected: 6.6.67 , ≤ 6.6.* (semver) Unaffected: 6.12.6 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:52:13.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6deb9e85dc9a2ba4414b91c1b5b00b8415910890",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "fdb2cd8957ac51f84c9e742ba866087944bb834b",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "b79a0d1e9a374d1b376933a354c4fcd01fce0365",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "b015f19fedd2e12283a8450dd0aefce49ec57015",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "bf2318e288f636a882eea39f7e1015623629f168",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
},
{
"lessThan": "ed1fc5d76b81a4d681211333c026202cad4d5649",
"status": "affected",
"version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.125",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.67",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.6",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix race between element replace and close()\n\nElement replace (with a socket different from the one stored) may race\nwith socket\u0027s close() link popping \u0026 unlinking. __sock_map_delete()\nunconditionally unrefs the (wrong) element:\n\n// set map[0] = s0\nmap_update_elem(map, 0, s0)\n\n// drop fd of s0\nclose(s0)\n sock_map_close()\n lock_sock(sk) (s0!)\n sock_map_remove_links(sk)\n link = sk_psock_link_pop()\n sock_map_unlink(sk, link)\n sock_map_delete_from_link\n // replace map[0] with s1\n map_update_elem(map, 0, s1)\n sock_map_update_elem\n (s1!) lock_sock(sk)\n sock_map_update_common\n psock = sk_psock(sk)\n spin_lock(\u0026stab-\u003elock)\n osk = stab-\u003esks[idx]\n sock_map_add_link(..., \u0026stab-\u003esks[idx])\n sock_map_unref(osk, \u0026stab-\u003esks[idx])\n psock = sk_psock(osk)\n sk_psock_put(sk, psock)\n if (refcount_dec_and_test(\u0026psock))\n sk_psock_drop(sk, psock)\n spin_unlock(\u0026stab-\u003elock)\n unlock_sock(sk)\n __sock_map_delete\n spin_lock(\u0026stab-\u003elock)\n sk = *psk // s1 replaced s0; sk == s1\n if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch\n sk = xchg(psk, NULL)\n if (sk)\n sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle\n psock = sk_psock(sk)\n sk_psock_put(sk, psock)\n if (refcount_dec_and_test())\n sk_psock_drop(sk, psock)\n spin_unlock(\u0026stab-\u003elock)\n release_sock(sk)\n\nThen close(map) enqueues bpf_map_free_deferred, which finally calls\nsock_map_free(). This results in some refcount_t warnings along with\na KASAN splat [1].\n\nFix __sock_map_delete(), do not allow sock_map_unref() on elements that\nmay have been replaced.\n\n[1]:\nBUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330\nWrite of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063\n\nCPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\nWorkqueue: events_unbound bpf_map_free_deferred\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x68/0x90\n print_report+0x174/0x4f6\n kasan_report+0xb9/0x190\n kasan_check_range+0x10f/0x1e0\n sock_map_free+0x10e/0x330\n bpf_map_free_deferred+0x173/0x320\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 1202:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n __kasan_slab_alloc+0x85/0x90\n kmem_cache_alloc_noprof+0x131/0x450\n sk_prot_alloc+0x5b/0x220\n sk_alloc+0x2c/0x870\n unix_create1+0x88/0x8a0\n unix_create+0xc5/0x180\n __sock_create+0x241/0x650\n __sys_socketpair+0x1ce/0x420\n __x64_sys_socketpair+0x92/0x100\n do_syscall_64+0x93/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 46:\n kasan_save_stack+0x1e/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kmem_cache_free+0x1a1/0x590\n __sk_destruct+0x388/0x5a0\n sk_psock_destroy+0x73e/0xa50\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x29e/0x360\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThe bu\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:56:51.838Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6deb9e85dc9a2ba4414b91c1b5b00b8415910890"
},
{
"url": "https://git.kernel.org/stable/c/fdb2cd8957ac51f84c9e742ba866087944bb834b"
},
{
"url": "https://git.kernel.org/stable/c/b79a0d1e9a374d1b376933a354c4fcd01fce0365"
},
{
"url": "https://git.kernel.org/stable/c/b015f19fedd2e12283a8450dd0aefce49ec57015"
},
{
"url": "https://git.kernel.org/stable/c/bf2318e288f636a882eea39f7e1015623629f168"
},
{
"url": "https://git.kernel.org/stable/c/ed1fc5d76b81a4d681211333c026202cad4d5649"
}
],
"title": "bpf, sockmap: Fix race between element replace and close()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56664",
"datePublished": "2024-12-27T15:06:26.276Z",
"dateReserved": "2024-12-27T15:00:39.844Z",
"dateUpdated": "2026-05-11T20:56:51.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56767 (GCVE-0-2024-56767)
Vulnerability from cvelistv5 – Published: 2025-01-06 16:20 – Updated: 2026-05-11 20:58
VLAI
EPSS
Title
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset
The at_xdmac_memset_create_desc may return NULL, which will lead to a
null pointer dereference. For example, the len input is error, or the
atchan->free_descs_list is empty and memory is exhausted. Therefore, add
check to avoid this.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < 3d229600c54e9e0909080ecaf1aab0642aefa5f0
(git)
Affected: b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < ed1a8aaa344522c0c349ac9042db27ad130ef913 (git) Affected: b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < 8d364597de9ce2a5f52714224bfe6c2e7a29b303 (git) Affected: b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < fdba6d5e455388377ec7e82a5913ddfcc7edd93b (git) Affected: b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < e658f1c133b854b2ae799147301d82dddb8f3162 (git) Affected: b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < 54376d8d26596f98ed7432a788314bb9154bf3e3 (git) Affected: b206d9a23ac71cb905f5fb6e0cd813406f89b678 , < c43ec96e8d34399bd9dab2f2dc316b904892133f (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 5.4.289 , ≤ 5.4.* (semver) Unaffected: 5.10.233 , ≤ 5.10.* (semver) Unaffected: 5.15.176 , ≤ 5.15.* (semver) Unaffected: 6.1.123 , ≤ 6.1.* (semver) Unaffected: 6.6.69 , ≤ 6.6.* (semver) Unaffected: 6.12.8 , ≤ 6.12.* (semver) Unaffected: 6.13 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:54:02.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_xdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d229600c54e9e0909080ecaf1aab0642aefa5f0",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
},
{
"lessThan": "ed1a8aaa344522c0c349ac9042db27ad130ef913",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
},
{
"lessThan": "8d364597de9ce2a5f52714224bfe6c2e7a29b303",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
},
{
"lessThan": "fdba6d5e455388377ec7e82a5913ddfcc7edd93b",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
},
{
"lessThan": "e658f1c133b854b2ae799147301d82dddb8f3162",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
},
{
"lessThan": "54376d8d26596f98ed7432a788314bb9154bf3e3",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
},
{
"lessThan": "c43ec96e8d34399bd9dab2f2dc316b904892133f",
"status": "affected",
"version": "b206d9a23ac71cb905f5fb6e0cd813406f89b678",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/at_xdmac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.233",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.69",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.289",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.123",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.69",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset\n\nThe at_xdmac_memset_create_desc may return NULL, which will lead to a\nnull pointer dereference. For example, the len input is error, or the\natchan-\u003efree_descs_list is empty and memory is exhausted. Therefore, add\ncheck to avoid this."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:58:40.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d229600c54e9e0909080ecaf1aab0642aefa5f0"
},
{
"url": "https://git.kernel.org/stable/c/ed1a8aaa344522c0c349ac9042db27ad130ef913"
},
{
"url": "https://git.kernel.org/stable/c/8d364597de9ce2a5f52714224bfe6c2e7a29b303"
},
{
"url": "https://git.kernel.org/stable/c/fdba6d5e455388377ec7e82a5913ddfcc7edd93b"
},
{
"url": "https://git.kernel.org/stable/c/e658f1c133b854b2ae799147301d82dddb8f3162"
},
{
"url": "https://git.kernel.org/stable/c/54376d8d26596f98ed7432a788314bb9154bf3e3"
},
{
"url": "https://git.kernel.org/stable/c/c43ec96e8d34399bd9dab2f2dc316b904892133f"
}
],
"title": "dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56767",
"datePublished": "2025-01-06T16:20:45.430Z",
"dateReserved": "2024-12-29T11:26:39.762Z",
"dateUpdated": "2026-05-11T20:58:40.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57996 (GCVE-0-2024-57996)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2026-05-12 12:01
VLAI
EPSS
Title
net_sched: sch_sfq: don't allow 1 packet limit
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: don't allow 1 packet limit
The current implementation does not work correctly with a limit of
1. iproute2 actually checks for this and this patch adds the check in
kernel as well.
This fixes the following syzkaller reported crash:
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x125/0x19f lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:148 [inline]
__ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347
sfq_link net/sched/sch_sfq.c:210 [inline]
sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238
sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500
sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525
qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319
qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026
dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296
netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]
dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362
__dev_close_many+0x214/0x350 net/core/dev.c:1468
dev_close_many+0x207/0x510 net/core/dev.c:1506
unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738
unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695
unregister_netdevice include/linux/netdevice.h:2893 [inline]
__tun_detach+0x6b6/0x1600 drivers/net/tun.c:689
tun_detach drivers/net/tun.c:705 [inline]
tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640
__fput+0x203/0x840 fs/file_table.c:280
task_work_run+0x129/0x1b0 kernel/task_work.c:185
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x5ce/0x2200 kernel/exit.c:931
do_group_exit+0x144/0x310 kernel/exit.c:1046
__do_sys_exit_group kernel/exit.c:1057 [inline]
__se_sys_exit_group kernel/exit.c:1055 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055
do_syscall_64+0x6c/0xd0
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fe5e7b52479
Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.
RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0
R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270
The crash can be also be reproduced with the following (with a tc
recompiled to allow for sfq limits of 1):
tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s
../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1
ifconfig dummy0 up
ping -I dummy0 -f -c2 -W0.1 8.8.8.8
sleep 1
Scenario that triggers the crash:
* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1
* TBF dequeues: it peeks from SFQ which moves the packet to the
gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so
it schedules itself for later.
* the second packet is sent and TBF tries to queues it to SFQ. qdisc
qlen is now 2 and because the SFQ limit is 1 the packet is dropped
by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,
however q->tail is not NULL.
At this point, assuming no more packets are queued, when sch_dequeue
runs again it will decrement the qlen for the current empty slot
causing an underflow and the subsequent out of bounds access.
Severity
No CVSS data available.
Assigner
References
11 references
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e12f6013d0a69660e8b99bfe381b9546ae667328
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e6d9d87626cf89eeffb4d943db12cb5b10bf961 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b562b7f9231432da40d12e19786c1bd7df653a7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 35d0137305ae2f97260a9047f445bd4434bd6cc7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 833e9a1c27b82024db7ff5038a51651f48f05e5e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7fefc294204f10a3405f175f4ac2be16d63f135e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 10685681bafce6febb39770f3387621bf5d67d0b (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.129 , ≤ 6.1.* (semver) Unaffected: 6.6.76 , ≤ 6.6.* (semver) Unaffected: 6.12.13 , ≤ 6.12.* (semver) Unaffected: 6.13.2 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:33:07.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:01:48.833Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e12f6013d0a69660e8b99bfe381b9546ae667328",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x125/0x19f lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:148 [inline]\n __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n sfq_link net/sched/sch_sfq.c:210 [inline]\n sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n __dev_close_many+0x214/0x350 net/core/dev.c:1468\n dev_close_many+0x207/0x510 net/core/dev.c:1506\n unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n unregister_netdevice include/linux/netdevice.h:2893 [inline]\n __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n tun_detach drivers/net/tun.c:705 [inline]\n tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n __fput+0x203/0x840 fs/file_table.c:280\n task_work_run+0x129/0x1b0 kernel/task_work.c:185\n exit_task_work include/linux/task_work.h:33 [inline]\n do_exit+0x5ce/0x2200 kernel/exit.c:931\n do_group_exit+0x144/0x310 kernel/exit.c:1046\n __do_sys_exit_group kernel/exit.c:1057 [inline]\n __se_sys_exit_group kernel/exit.c:1055 [inline]\n __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:01:47.044Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e12f6013d0a69660e8b99bfe381b9546ae667328"
},
{
"url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
},
{
"url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
},
{
"url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
},
{
"url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
},
{
"url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
},
{
"url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
},
{
"url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
}
],
"title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57996",
"datePublished": "2025-02-27T02:07:16.765Z",
"dateReserved": "2025-02-27T02:04:28.914Z",
"dateUpdated": "2026-05-12T12:01:48.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21727 (GCVE-0-2025-21727)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2026-05-12 12:03
VLAI
EPSS
Title
padata: fix UAF in padata_reorder
Summary
In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker
Call Trace:
<TASK>
dump_stack_lvl+0x32/0x50
print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0
kasan_report+0xa5/0xd0
padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220
padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0
If 'mdelay(10)' is added before calling 'padata_find_next' in the
'padata_reorder' function, this issue could be reproduced easily with
ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt
...
padata_do_parallel
refcount_inc(&pd->refcnt); // add refcnt
...
padata_do_serial
padata_reorder // pd
while (1) {
padata_find_next(pd, true); // using pd
queue_work_on
...
padata_serial_worker crypto_del_alg
padata_put_pd_cnt // sub refcnt
padata_free_shell
padata_put_pd(ps->pd);
// pd is freed
// loop again, but pd is freed
// call padata_find_next, UAF
}
In the padata_reorder function, when it loops in 'while', if the alg is
deleted, the refcnt may be decreased to 0 before entering
'padata_find_next', which leads to UAF.
As mentioned in [1], do_serial is supposed to be called with BHs disabled
and always happen under RCU protection, to address this issue, add
synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
10 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b128a30409356df65f1a51cff3eb986cac8cfedc , < f78170bee51469734b1a306a74fc5f777bb22ba6
(git)
Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < f3e0b9f790f8e8065d59e67b565a83154d9f3079 (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 573ac9c70bf7885dc85d82fa44550581bfc3b738 (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < 80231f069240d52e98b6a317456c67b2eafd0781 (git) Affected: b128a30409356df65f1a51cff3eb986cac8cfedc , < e01780ea4661172734118d2a5f41bc9720765668 (git) |
|
| Linux | Linux |
Affected:
5.4
Unaffected: 0 , < 5.4 (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.129 , ≤ 6.1.* (semver) Unaffected: 6.6.76 , ≤ 6.6.* (semver) Unaffected: 6.12.13 , ≤ 6.12.* (semver) Unaffected: 6.13.2 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:58:06.104597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:27.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:36:30.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:03:30.794Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f78170bee51469734b1a306a74fc5f777bb22ba6",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "f3e0b9f790f8e8065d59e67b565a83154d9f3079",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "573ac9c70bf7885dc85d82fa44550581bfc3b738",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "80231f069240d52e98b6a317456c67b2eafd0781",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
},
{
"lessThan": "e01780ea4661172734118d2a5f41bc9720765668",
"status": "affected",
"version": "b128a30409356df65f1a51cff3eb986cac8cfedc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/padata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.76",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n\u003cTASK\u003e\ndump_stack_lvl+0x32/0x50\nprint_address_description.constprop.0+0x6b/0x3d0\nprint_report+0xdd/0x2c0\nkasan_report+0xa5/0xd0\npadata_find_next+0x29/0x1a0\npadata_reorder+0x131/0x220\npadata_parallel_worker+0x3d/0xc0\nprocess_one_work+0x2ec/0x5a0\n\nIf \u0027mdelay(10)\u0027 is added before calling \u0027padata_find_next\u0027 in the\n\u0027padata_reorder\u0027 function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(\u0026pd-\u003erefcnt); // add refcnt\n...\npadata_do_serial\npadata_reorder // pd\nwhile (1) {\npadata_find_next(pd, true); // using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt // sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps-\u003epd);\n\t\t\t\t\t\t// pd is freed\n// loop again, but pd is freed\n// call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in \u0027while\u0027, if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n\u0027padata_find_next\u0027, which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in \u0027padata_free_shell\u0027 wait for all _do_serial calls\nto finish.\n\n[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/\n[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:05:15.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6"
},
{
"url": "https://git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079"
},
{
"url": "https://git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd"
},
{
"url": "https://git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de"
},
{
"url": "https://git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738"
},
{
"url": "https://git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781"
},
{
"url": "https://git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668"
}
],
"title": "padata: fix UAF in padata_reorder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21727",
"datePublished": "2025-02-27T02:07:33.501Z",
"dateReserved": "2024-12-29T08:45:45.754Z",
"dateUpdated": "2026-05-12T12:03:30.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21796 (GCVE-0-2025-21796)
Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2026-05-12 12:03
VLAI
EPSS
Title
nfsd: clear acl_access/acl_default after releasing them
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: clear acl_access/acl_default after releasing them
If getting acl_default fails, acl_access and acl_default will be released
simultaneously. However, acl_access will still retain a pointer pointing
to the released posix_acl, which will trigger a WARNING in
nfs3svc_release_getacl like this:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28
refcount_warn_saturate+0xb5/0x170
Modules linked in:
CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted
6.12.0-rc6-00079-g04ae226af01f-dirty #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
RIP: 0010:refcount_warn_saturate+0xb5/0x170
Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75
e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff <0f> 0b eb
cd 0f b6 1d 8a3
RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380
RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56
R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0
FS: 0000000000000000(0000) GS:ffff88871ed00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? refcount_warn_saturate+0xb5/0x170
? __warn+0xa5/0x140
? refcount_warn_saturate+0xb5/0x170
? report_bug+0x1b1/0x1e0
? handle_bug+0x53/0xa0
? exc_invalid_op+0x17/0x40
? asm_exc_invalid_op+0x1a/0x20
? tick_nohz_tick_stopped+0x1e/0x40
? refcount_warn_saturate+0xb5/0x170
? refcount_warn_saturate+0xb5/0x170
nfs3svc_release_getacl+0xc9/0xe0
svc_process_common+0x5db/0xb60
? __pfx_svc_process_common+0x10/0x10
? __rcu_read_unlock+0x69/0xa0
? __pfx_nfsd_dispatch+0x10/0x10
? svc_xprt_received+0xa1/0x120
? xdr_init_decode+0x11d/0x190
svc_process+0x2a7/0x330
svc_handle_xprt+0x69d/0x940
svc_recv+0x180/0x2d0
nfsd+0x168/0x200
? __pfx_nfsd+0x10/0x10
kthread+0x1a2/0x1e0
? kthread+0xf4/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x34/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Kernel panic - not syncing: kernel: panic_on_warn set ...
Clear acl_access/acl_default after posix_acl_release is called to prevent
UAF from being triggered.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
11 references
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 8a1737ae42c928384ab6447f6ee1a882510e85fa
(git)
Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 6f7cfee1a316891890c505563aa54f3476db52fd (git) Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 2e59b2b68782519560b3d6a41dd66a3d01a01cd3 (git) Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 55d947315fb5f67a35e4e1d3e01bb886b9c6decf (git) Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < f8d871523142f7895f250a856f8c4a4181614510 (git) Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 1fd94884174bd20beb1773990fd3b1aa877688d9 (git) Affected: a257cdd0e2179630d3201c32ba14d7fcb3c3a055 , < 7faf14a7b0366f153284db0ad3347c457ea70136 (git) |
|
| Linux | Linux |
Affected:
2.6.13
Unaffected: 0 , < 2.6.13 (semver) Unaffected: 5.10.235 , ≤ 5.10.* (semver) Unaffected: 5.15.179 , ≤ 5.15.* (semver) Unaffected: 6.1.129 , ≤ 6.1.* (semver) Unaffected: 6.6.79 , ≤ 6.6.* (semver) Unaffected: 6.12.16 , ≤ 6.12.* (semver) Unaffected: 6.13.4 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T17:57:11.080279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:02:26.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:59:40.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:03:56.109Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs2acl.c",
"fs/nfsd/nfs3acl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a1737ae42c928384ab6447f6ee1a882510e85fa",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "6f7cfee1a316891890c505563aa54f3476db52fd",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "2e59b2b68782519560b3d6a41dd66a3d01a01cd3",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "55d947315fb5f67a35e4e1d3e01bb886b9c6decf",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "f8d871523142f7895f250a856f8c4a4181614510",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "1fd94884174bd20beb1773990fd3b1aa877688d9",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
},
{
"lessThan": "7faf14a7b0366f153284db0ad3347c457ea70136",
"status": "affected",
"version": "a257cdd0e2179630d3201c32ba14d7fcb3c3a055",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs2acl.c",
"fs/nfsd/nfs3acl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.129",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.79",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.16",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.4",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing them\n\nIf getting acl_default fails, acl_access and acl_default will be released\nsimultaneously. However, acl_access will still retain a pointer pointing\nto the released posix_acl, which will trigger a WARNING in\nnfs3svc_release_getacl like this:\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 26 PID: 3199 at lib/refcount.c:28\nrefcount_warn_saturate+0xb5/0x170\nModules linked in:\nCPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted\n6.12.0-rc6-00079-g04ae226af01f-dirty #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb5/0x170\nCode: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75\ne4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff \u003c0f\u003e 0b eb\ncd 0f b6 1d 8a3\nRSP: 0018:ffffc90008637cd8 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380\nRBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56\nR10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001\nR13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0\nFS: 0000000000000000(0000) GS:ffff88871ed00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0xb5/0x170\n ? __warn+0xa5/0x140\n ? refcount_warn_saturate+0xb5/0x170\n ? report_bug+0x1b1/0x1e0\n ? handle_bug+0x53/0xa0\n ? exc_invalid_op+0x17/0x40\n ? asm_exc_invalid_op+0x1a/0x20\n ? tick_nohz_tick_stopped+0x1e/0x40\n ? refcount_warn_saturate+0xb5/0x170\n ? refcount_warn_saturate+0xb5/0x170\n nfs3svc_release_getacl+0xc9/0xe0\n svc_process_common+0x5db/0xb60\n ? __pfx_svc_process_common+0x10/0x10\n ? __rcu_read_unlock+0x69/0xa0\n ? __pfx_nfsd_dispatch+0x10/0x10\n ? svc_xprt_received+0xa1/0x120\n ? xdr_init_decode+0x11d/0x190\n svc_process+0x2a7/0x330\n svc_handle_xprt+0x69d/0x940\n svc_recv+0x180/0x2d0\n nfsd+0x168/0x200\n ? __pfx_nfsd+0x10/0x10\n kthread+0x1a2/0x1e0\n ? kthread+0xf4/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\nKernel panic - not syncing: kernel: panic_on_warn set ...\n\nClear acl_access/acl_default after posix_acl_release is called to prevent\nUAF from being triggered."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:06:39.968Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a1737ae42c928384ab6447f6ee1a882510e85fa"
},
{
"url": "https://git.kernel.org/stable/c/6f7cfee1a316891890c505563aa54f3476db52fd"
},
{
"url": "https://git.kernel.org/stable/c/2e59b2b68782519560b3d6a41dd66a3d01a01cd3"
},
{
"url": "https://git.kernel.org/stable/c/55d947315fb5f67a35e4e1d3e01bb886b9c6decf"
},
{
"url": "https://git.kernel.org/stable/c/f8d871523142f7895f250a856f8c4a4181614510"
},
{
"url": "https://git.kernel.org/stable/c/1fd94884174bd20beb1773990fd3b1aa877688d9"
},
{
"url": "https://git.kernel.org/stable/c/7faf14a7b0366f153284db0ad3347c457ea70136"
}
],
"title": "nfsd: clear acl_access/acl_default after releasing them",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21796",
"datePublished": "2025-02-27T02:18:32.191Z",
"dateReserved": "2024-12-29T08:45:45.768Z",
"dateUpdated": "2026-05-12T12:03:56.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37752 (GCVE-0-2025-37752)
Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2026-05-23 15:58
VLAI
EPSS
Title
net_sched: sch_sfq: move the limit validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: move the limit validation
It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.
Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1
This fixes the following syzkaller reported crash:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
sfq_link net/sched/sch_sfq.c:203 [inline]
sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e12f6013d0a69660e8b99bfe381b9546ae667328 , < 8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4
(git)
Affected: 1e6d9d87626cf89eeffb4d943db12cb5b10bf961 , < 7d62ded97db6b7c94c891f704151f372b1ba4688 (git) Affected: 1b562b7f9231432da40d12e19786c1bd7df653a7 , < 6c589aa318023690f1606c666a7fb5f4c1c9c219 (git) Affected: 35d0137305ae2f97260a9047f445bd4434bd6cc7 , < 1348214fa042a71406964097e743c87a42c85a49 (git) Affected: 833e9a1c27b82024db7ff5038a51651f48f05e5e , < d2718324f9e329b10ddc091fba5a0ba2b9d4d96a (git) Affected: 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 , < f86293adce0c201cfabb283ef9d6f21292089bb8 (git) Affected: 7fefc294204f10a3405f175f4ac2be16d63f135e , < 5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d (git) Affected: 10685681bafce6febb39770f3387621bf5d67d0b , < b36a68192037d1614317a09b0d78c7814e2eecf9 (git) Affected: 10685681bafce6febb39770f3387621bf5d67d0b , < b3bf8f63e6179076b57c9de660c9f80b5abefe70 (git) Affected: 6.1.129 , < 6.1.135 (semver) Affected: 6.6.76 , < 6.6.88 (semver) Affected: 6.12.13 , < 6.12.24 (semver) Affected: 6.13.2 , < 6.13.12 (semver) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 6.1.135 , ≤ 6.1.* (semver) Unaffected: 6.6.88 , ≤ 6.6.* (semver) Unaffected: 6.12.24 , ≤ 6.12.* (semver) Unaffected: 6.13.12 , ≤ 6.13.* (semver) Unaffected: 6.14.3 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:54:26.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4",
"status": "affected",
"version": "e12f6013d0a69660e8b99bfe381b9546ae667328",
"versionType": "git"
},
{
"lessThan": "7d62ded97db6b7c94c891f704151f372b1ba4688",
"status": "affected",
"version": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
"versionType": "git"
},
{
"lessThan": "6c589aa318023690f1606c666a7fb5f4c1c9c219",
"status": "affected",
"version": "1b562b7f9231432da40d12e19786c1bd7df653a7",
"versionType": "git"
},
{
"lessThan": "1348214fa042a71406964097e743c87a42c85a49",
"status": "affected",
"version": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
"versionType": "git"
},
{
"lessThan": "d2718324f9e329b10ddc091fba5a0ba2b9d4d96a",
"status": "affected",
"version": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
"versionType": "git"
},
{
"lessThan": "f86293adce0c201cfabb283ef9d6f21292089bb8",
"status": "affected",
"version": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
"versionType": "git"
},
{
"lessThan": "5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d",
"status": "affected",
"version": "7fefc294204f10a3405f175f4ac2be16d63f135e",
"versionType": "git"
},
{
"lessThan": "b36a68192037d1614317a09b0d78c7814e2eecf9",
"status": "affected",
"version": "10685681bafce6febb39770f3387621bf5d67d0b",
"versionType": "git"
},
{
"lessThan": "b3bf8f63e6179076b57c9de660c9f80b5abefe70",
"status": "affected",
"version": "10685681bafce6febb39770f3387621bf5d67d0b",
"versionType": "git"
},
{
"lessThan": "6.1.135",
"status": "affected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThan": "6.6.88",
"status": "affected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThan": "6.12.24",
"status": "affected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThan": "6.13.12",
"status": "affected",
"version": "6.13.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_sfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "6.13.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: move the limit validation\n\nIt is not sufficient to directly validate the limit on the data that\nthe user passes as it can be updated based on how the other parameters\nare changed.\n\nMove the check at the end of the configuration update process to also\ncatch scenarios where the limit is indirectly updated, for example\nwith the following configurations:\n\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1\ntc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1\n\nThis fixes the following syzkaller reported crash:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429\n sfq_link net/sched/sch_sfq.c:203 [inline]\n sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231\n sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493\n sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339\n qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035\n dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311\n netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]\n dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:58:09.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4"
},
{
"url": "https://git.kernel.org/stable/c/7d62ded97db6b7c94c891f704151f372b1ba4688"
},
{
"url": "https://git.kernel.org/stable/c/6c589aa318023690f1606c666a7fb5f4c1c9c219"
},
{
"url": "https://git.kernel.org/stable/c/1348214fa042a71406964097e743c87a42c85a49"
},
{
"url": "https://git.kernel.org/stable/c/d2718324f9e329b10ddc091fba5a0ba2b9d4d96a"
},
{
"url": "https://git.kernel.org/stable/c/f86293adce0c201cfabb283ef9d6f21292089bb8"
},
{
"url": "https://git.kernel.org/stable/c/5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d"
},
{
"url": "https://git.kernel.org/stable/c/b36a68192037d1614317a09b0d78c7814e2eecf9"
},
{
"url": "https://git.kernel.org/stable/c/b3bf8f63e6179076b57c9de660c9f80b5abefe70"
}
],
"title": "net_sched: sch_sfq: move the limit validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37752",
"datePublished": "2025-05-01T12:55:57.280Z",
"dateReserved": "2025-04-16T04:51:23.937Z",
"dateUpdated": "2026-05-23T15:58:09.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37785 (GCVE-0-2025-37785)
Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-05-11 21:15
VLAI
EPSS
Title
ext4: fix OOB read when checking dotdot dir
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix OOB read when checking dotdot dir
Mounting a corrupted filesystem with directory which contains '.' dir
entry with rec_len == block size results in out-of-bounds read (later
on, when the corrupted directory is removed).
ext4_empty_dir() assumes every ext4 directory contains at least '.'
and '..' as directory entries in the first data block. It first loads
the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
and then uses its rec_len member to compute the location of '..' dir
entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
same data block.
If the rec_len of '.' is precisely one block (4KB), it slips through the
sanity checks (it is considered the last directory entry in the data
block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
memory slot allocated to the data block. The following call to
ext4_check_dir_entry() on new value of de then dereferences this pointer
which results in out-of-bounds mem access.
Fix this by extending __ext4_check_dir_entry() to check for '.' dir
entries that reach the end of data block. Make sure to ignore the phony
dir entries for checksum (by checking name_len for non-zero).
Note: This is reported by KASAN as use-after-free in case another
structure was recently freed from the slot past the bound, but it is
really an OOB read.
This issue was found by syzkaller tool.
Call Trace:
[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
[ 38.595158]
[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 38.595304] Call Trace:
[ 38.595308] <TASK>
[ 38.595311] dump_stack_lvl+0xa7/0xd0
[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595349] print_report+0xaa/0x250
[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
[ 38.595378] kasan_report+0xab/0xe0
[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
[ 38.595410] ext4_empty_dir+0x465/0x990
[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
[ 38.595478] ? down_write+0xdb/0x140
[ 38.595487] ? __pfx_down_write+0x10/0x10
[ 38.595497] ext4_rmdir+0xee/0x140
[ 38.595506] vfs_rmdir+0x209/0x670
[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
[ 38.595529] do_rmdir+0x363/0x3c0
[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
[ 38.595570] do_syscall_64+0x5b/0x180
[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
Severity
No CVSS data available.
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 14da7dbecb430e35b5889da8dae7bef33173b351
(git)
Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < e47f472a664d70a3d104a6c2a035cdff55a719b4 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < b7531a4f99c3887439d778afaf418d1a01a5f01b (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 89503e5eae64637d0fa2218912b54660effe7d93 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 52a5509ab19a5d3afe301165d9b5787bba34d842 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < b47584c556444cf7acb66b26a62cbc348eb92b78 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < ac28c5684c1cdab650a7e5065b19e91577d37a4b (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < 53bc45da8d8da92ec07877f5922b130562eb4b00 (git) Affected: ac27a0ec112a089f1a5102bc8dffc79c8c815571 , < d5e206778e96e8667d3bde695ad372c296dc9353 (git) |
|
| Linux | Linux |
Affected:
2.6.19
Unaffected: 0 , < 2.6.19 (semver) Unaffected: 5.4.293 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:55:07.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14da7dbecb430e35b5889da8dae7bef33173b351",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "e47f472a664d70a3d104a6c2a035cdff55a719b4",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "b7531a4f99c3887439d778afaf418d1a01a5f01b",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "89503e5eae64637d0fa2218912b54660effe7d93",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "52a5509ab19a5d3afe301165d9b5787bba34d842",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "b47584c556444cf7acb66b26a62cbc348eb92b78",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "ac28c5684c1cdab650a7e5065b19e91577d37a4b",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "53bc45da8d8da92ec07877f5922b130562eb4b00",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
},
{
"lessThan": "d5e206778e96e8667d3bde695ad372c296dc9353",
"status": "affected",
"version": "ac27a0ec112a089f1a5102bc8dffc79c8c815571",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix OOB read when checking dotdot dir\n\nMounting a corrupted filesystem with directory which contains \u0027.\u0027 dir\nentry with rec_len == block size results in out-of-bounds read (later\non, when the corrupted directory is removed).\n\next4_empty_dir() assumes every ext4 directory contains at least \u0027.\u0027\nand \u0027..\u0027 as directory entries in the first data block. It first loads\nthe \u0027.\u0027 dir entry, performs sanity checks by calling ext4_check_dir_entry()\nand then uses its rec_len member to compute the location of \u0027..\u0027 dir\nentry (in ext4_next_entry). It assumes the \u0027..\u0027 dir entry fits into the\nsame data block.\n\nIf the rec_len of \u0027.\u0027 is precisely one block (4KB), it slips through the\nsanity checks (it is considered the last directory entry in the data\nblock) and leaves \"struct ext4_dir_entry_2 *de\" point exactly past the\nmemory slot allocated to the data block. The following call to\next4_check_dir_entry() on new value of de then dereferences this pointer\nwhich results in out-of-bounds mem access.\n\nFix this by extending __ext4_check_dir_entry() to check for \u0027.\u0027 dir\nentries that reach the end of data block. Make sure to ignore the phony\ndir entries for checksum (by checking name_len for non-zero).\n\nNote: This is reported by KASAN as use-after-free in case another\nstructure was recently freed from the slot past the bound, but it is\nreally an OOB read.\n\nThis issue was found by syzkaller tool.\n\nCall Trace:\n[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710\n[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375\n[ 38.595158]\n[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1\n[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[ 38.595304] Call Trace:\n[ 38.595308] \u003cTASK\u003e\n[ 38.595311] dump_stack_lvl+0xa7/0xd0\n[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0\n[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595349] print_report+0xaa/0x250\n[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595368] ? kasan_addr_to_slab+0x9/0x90\n[ 38.595378] kasan_report+0xab/0xe0\n[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710\n[ 38.595400] __ext4_check_dir_entry+0x67e/0x710\n[ 38.595410] ext4_empty_dir+0x465/0x990\n[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10\n[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10\n[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0\n[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10\n[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10\n[ 38.595478] ? down_write+0xdb/0x140\n[ 38.595487] ? __pfx_down_write+0x10/0x10\n[ 38.595497] ext4_rmdir+0xee/0x140\n[ 38.595506] vfs_rmdir+0x209/0x670\n[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190\n[ 38.595529] do_rmdir+0x363/0x3c0\n[ 38.595537] ? __pfx_do_rmdir+0x10/0x10\n[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0\n[ 38.595561] __x64_sys_unlinkat+0xf0/0x130\n[ 38.595570] do_syscall_64+0x5b/0x180\n[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:15:07.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14da7dbecb430e35b5889da8dae7bef33173b351"
},
{
"url": "https://git.kernel.org/stable/c/e47f472a664d70a3d104a6c2a035cdff55a719b4"
},
{
"url": "https://git.kernel.org/stable/c/b7531a4f99c3887439d778afaf418d1a01a5f01b"
},
{
"url": "https://git.kernel.org/stable/c/89503e5eae64637d0fa2218912b54660effe7d93"
},
{
"url": "https://git.kernel.org/stable/c/52a5509ab19a5d3afe301165d9b5787bba34d842"
},
{
"url": "https://git.kernel.org/stable/c/b47584c556444cf7acb66b26a62cbc348eb92b78"
},
{
"url": "https://git.kernel.org/stable/c/ac28c5684c1cdab650a7e5065b19e91577d37a4b"
},
{
"url": "https://git.kernel.org/stable/c/53bc45da8d8da92ec07877f5922b130562eb4b00"
},
{
"url": "https://git.kernel.org/stable/c/d5e206778e96e8667d3bde695ad372c296dc9353"
}
],
"title": "ext4: fix OOB read when checking dotdot dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37785",
"datePublished": "2025-04-18T07:01:27.393Z",
"dateReserved": "2025-04-16T04:51:23.940Z",
"dateUpdated": "2026-05-11T21:15:07.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37838 (GCVE-0-2025-37838)
Vulnerability from cvelistv5 – Published: 2025-04-18 14:20 – Updated: 2026-05-11 21:16
VLAI
EPSS
Title
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
11 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
df26d639e2f4628732a8da5a0f71e4e652ce809b , < d03abc1c2b21324550fa71e12d53e7d3498e0af6
(git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 72972552d0d0bfeb2dec5daf343a19018db36ffa (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < d58493832e284f066e559b8da5ab20c15a2801d3 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 58eb29dba712ab0f13af59ca2fe545f5ce360e78 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < ae5a6a0b425e8f76a9f0677e50796e494e89b088 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 834e602d0cc7c743bfce734fad4a46cefc0f9ab1 (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f (git) Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < e3f88665a78045fe35c7669d2926b8d97b892c11 (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.4.293 , ≤ 5.4.* (semver) Unaffected: 5.10.237 , ≤ 5.10.* (semver) Unaffected: 5.15.181 , ≤ 5.15.* (semver) Unaffected: 6.1.135 , ≤ 6.1.* (semver) Unaffected: 6.6.88 , ≤ 6.6.* (semver) Unaffected: 6.12.24 , ≤ 6.12.* (semver) Unaffected: 6.13.12 , ≤ 6.13.* (semver) Unaffected: 6.14.3 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-37838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T14:38:43.871416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T14:41:43.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:56:09.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hsi/clients/ssi_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d03abc1c2b21324550fa71e12d53e7d3498e0af6",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "72972552d0d0bfeb2dec5daf343a19018db36ffa",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "d58493832e284f066e559b8da5ab20c15a2801d3",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "58eb29dba712ab0f13af59ca2fe545f5ce360e78",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "ae5a6a0b425e8f76a9f0677e50796e494e89b088",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "834e602d0cc7c743bfce734fad4a46cefc0f9ab1",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
},
{
"lessThan": "e3f88665a78045fe35c7669d2926b8d97b892c11",
"status": "affected",
"version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hsi/clients/ssi_protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.24",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.12",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, \u0026ssi-\u003ework is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ssip_xmit_work\nssi_protocol_remove |\nkfree(ssi); |\n | struct hsi_client *cl = ssi-\u003ecl;\n | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:16:05.252Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"
},
{
"url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"
},
{
"url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"
},
{
"url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"
},
{
"url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"
},
{
"url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"
},
{
"url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"
},
{
"url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"
},
{
"url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"
}
],
"title": "HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37838",
"datePublished": "2025-04-18T14:20:55.389Z",
"dateReserved": "2025-04-16T04:51:23.952Z",
"dateUpdated": "2026-05-11T21:16:05.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…