Vulnerability-Lookup

CERTFR-2025-AVI-1048

Vulnerability from certfr_avis - Published: 2025-11-28 - Updated: 2025-11-28

De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Debian	Debian	Debian LTS bullseye versions antérieures à 6.1.158-1~deb11u1

References

Title

Publication Time

CVE-2025-40197 (GCVE-0-2025-40197)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-23 16:01

Title

media: mc: Clear minor number before put device

Summary

In the Linux kernel, the following vulnerability has been resolved: media: mc: Clear minor number before put device The device minor should not be cleared after the device is released.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/dd156f44ea82cc249…
https://git.kernel.org/stable/c/64dbc6f50ce92b7da…
https://git.kernel.org/stable/c/5d327391f9fafeb09…
https://git.kernel.org/stable/c/8f52c7f38f0f2ee2a…
https://git.kernel.org/stable/c/7bd4e5367d0940cce…
https://git.kernel.org/stable/c/7db47e737128b3585…
https://git.kernel.org/stable/c/ac01416d477c2dc60…
https://git.kernel.org/stable/c/8cfc8cec1b4da88a4…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd156f44ea82cc249f46c519eed3b2f8983c8002 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5d327391f9fafeb0938be4fc538dd0bd54a0b2ef (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8f52c7f38f0f2ee2afc331e6b873acba5e9490a8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7db47e737128b3585ae679b709b85f3f44cd8750 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ac01416d477c2dc6016782635ae022f8cc634a29 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8cfc8cec1b4da88a47c243a11f384baefd092a50 (git) Affected: 0 , < 5.4.301 (semver) Affected: 0 , < 5.10.246 (semver) Affected: 0 , < 5.15.195 (semver) Affected: 0 , < 6.1.157 (semver) Affected: 0 , < 6.6.113 (semver) Affected: 0 , < 6.12.54 (semver) Affected: 0 , < 6.17.4 (semver)
Linux	Linux	Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/mc/mc-devnode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd156f44ea82cc249f46c519eed3b2f8983c8002",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5d327391f9fafeb0938be4fc538dd0bd54a0b2ef",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8f52c7f38f0f2ee2afc331e6b873acba5e9490a8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7db47e737128b3585ae679b709b85f3f44cd8750",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ac01416d477c2dc6016782635ae022f8cc634a29",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8cfc8cec1b4da88a47c243a11f384baefd092a50",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5.4.301",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.10.246",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.195",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.157",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.113",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.54",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.17.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/mc/mc-devnode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mc: Clear minor number before put device\n\nThe device minor should not be cleared after the device is released."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:01:38.372Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd156f44ea82cc249f46c519eed3b2f8983c8002"
        },
        {
          "url": "https://git.kernel.org/stable/c/64dbc6f50ce92b7da203b1bcdd96a370bbc9b74d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d327391f9fafeb0938be4fc538dd0bd54a0b2ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f52c7f38f0f2ee2afc331e6b873acba5e9490a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bd4e5367d0940ccec4d7546bb6bd019ab2c71aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/7db47e737128b3585ae679b709b85f3f44cd8750"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac01416d477c2dc6016782635ae022f8cc634a29"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cfc8cec1b4da88a47c243a11f384baefd092a50"
        }
      ],
      "title": "media: mc: Clear minor number before put device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40197",
    "datePublished": "2025-11-12T21:56:32.852Z",
    "dateReserved": "2025-04-16T07:20:57.178Z",
    "dateUpdated": "2026-05-23T16:01:38.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40198 (GCVE-0-2025-40198)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring.

Severity

No CVSS data available.

Assigner

Linux

References

7 references

URL	Tags
https://git.kernel.org/stable/c/7bf46ff83a0ef1183…
https://git.kernel.org/stable/c/b2bac84fde28fb6a8…
https://git.kernel.org/stable/c/e651294218d268430…
https://git.kernel.org/stable/c/01829af7656b56d83…
https://git.kernel.org/stable/c/2a0cf438320cdb783…
https://git.kernel.org/stable/c/a6e94557cd05adc82…
https://git.kernel.org/stable/c/8ecb790ea8c3fc69e…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 7bf46ff83a0ef11836e38ebd72cdc5107209342d (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < b2bac84fde28fb6a88817b8b761abda17a1d300b (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < e651294218d2684302ee5ed95ccf381646f3e5b4 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 01829af7656b56d83682b3491265d583d502e502 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 2a0cf438320cdb783e0378570744c0ef0d83e934 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < a6e94557cd05adc82fae0400f6e17745563e5412 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 (git)
Linux	Linux	Affected: 2.6.36 Unaffected: 0 , < 2.6.36 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 6.1.158 , ≤ 6.1.* (semver) Unaffected: 6.6.114 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            },
            {
              "lessThan": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            },
            {
              "lessThan": "e651294218d2684302ee5ed95ccf381646f3e5b4",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            },
            {
              "lessThan": "01829af7656b56d83682b3491265d583d502e502",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            },
            {
              "lessThan": "2a0cf438320cdb783e0378570744c0ef0d83e934",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            },
            {
              "lessThan": "a6e94557cd05adc82fae0400f6e17745563e5412",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            },
            {
              "lessThan": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
              "status": "affected",
              "version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n\nUnlike other strings in the ext4 superblock, we rely on tune2fs to\nmake sure s_mount_opts is NUL terminated.  Harden\nparse_apply_sb_mount_options() by treating s_mount_opts as a potential\n__nonstring."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:39.405Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8"
        }
      ],
      "title": "ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40198",
    "datePublished": "2025-11-12T21:56:33.220Z",
    "dateReserved": "2025-04-16T07:20:57.178Z",
    "dateUpdated": "2026-05-11T21:44:39.405Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40200 (GCVE-0-2025-40200)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

Squashfs: reject negative file sizes in squashfs_read_inode()

Summary

In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity]

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/54170057a5fadd24a…
https://git.kernel.org/stable/c/2871c74caa3f4f05b…
https://git.kernel.org/stable/c/fbfc745db628de31f…
https://git.kernel.org/stable/c/8118f661248958294…
https://git.kernel.org/stable/c/8c7aad76751816207…
https://git.kernel.org/stable/c/875fb3f87ae0225b8…
https://git.kernel.org/stable/c/f271155ff31aca8ef…
https://git.kernel.org/stable/c/9f1c14c1de1bdde39…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 54170057a5fadd24a37b70de41e61d39284d9bd7 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 2871c74caa3f4f05b429e6bfefebac62dbf1b408 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < fbfc745db628de31f5c089147deeb87e95b89e66 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8118f66124895829443d09c207e654adcb2f9321 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8c7aad76751816207fee556d44aa88a710824810 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 875fb3f87ae0225b881319ba016a1a8c4ffd5812 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < f271155ff31aca8ef82c61c8df23ca97e9a77dd4 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b (git)
Linux	Linux	Affected: 2.6.29 Unaffected: 0 , < 2.6.29 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/squashfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "54170057a5fadd24a37b70de41e61d39284d9bd7",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "2871c74caa3f4f05b429e6bfefebac62dbf1b408",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "fbfc745db628de31f5c089147deeb87e95b89e66",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "8118f66124895829443d09c207e654adcb2f9321",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "8c7aad76751816207fee556d44aa88a710824810",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "875fb3f87ae0225b881319ba016a1a8c4ffd5812",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "f271155ff31aca8ef82c61c8df23ca97e9a77dd4",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/squashfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:41.773Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66"
        },
        {
          "url": "https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810"
        },
        {
          "url": "https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812"
        },
        {
          "url": "https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b"
        }
      ],
      "title": "Squashfs: reject negative file sizes in squashfs_read_inode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40200",
    "datePublished": "2025-11-12T21:56:33.783Z",
    "dateReserved": "2025-04-16T07:20:57.178Z",
    "dateUpdated": "2026-05-11T21:44:41.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40201 (GCVE-0-2025-40201)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths

Summary

In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable.

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/1bc0d9315ef5296ab…
https://git.kernel.org/stable/c/132f827e7bac7373e…
https://git.kernel.org/stable/c/19b45c84bd9fd42fa…
https://git.kernel.org/stable/c/6796412decd2d8de8…
https://git.kernel.org/stable/c/a15f37a40145c986c…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 1bc0d9315ef5296abb2c9fd840336255850ded18 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 132f827e7bac7373e1522e89709d70b43cae5342 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 19b45c84bd9fd42fa97ff80c6350d604cb871c75 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < 6796412decd2d8de8ec708213bbc958fab72f143 (git) Affected: 18c91bb2d87268d23868bf13508f5bc9cf04e89a , < a15f37a40145c986cdf289a4b88390f35efdecc4 (git)
Linux	Linux	Affected: 5.18 Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sys.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1bc0d9315ef5296abb2c9fd840336255850ded18",
              "status": "affected",
              "version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
              "versionType": "git"
            },
            {
              "lessThan": "132f827e7bac7373e1522e89709d70b43cae5342",
              "status": "affected",
              "version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
              "versionType": "git"
            },
            {
              "lessThan": "19b45c84bd9fd42fa97ff80c6350d604cb871c75",
              "status": "affected",
              "version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
              "versionType": "git"
            },
            {
              "lessThan": "6796412decd2d8de8ec708213bbc958fab72f143",
              "status": "affected",
              "version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
              "versionType": "git"
            },
            {
              "lessThan": "a15f37a40145c986cdf289a4b88390f35efdecc4",
              "status": "affected",
              "version": "18c91bb2d87268d23868bf13508f5bc9cf04e89a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sys.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths\n\nThe usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64()-\u003edo_prlimit()\npath is very broken.\n\nsys_prlimit64() does get_task_struct(tsk) but this only protects task_struct\nitself. If tsk != current and tsk is not a leader, this process can exit/exec\nand task_lock(tsk-\u003egroup_leader) may use the already freed task_struct.\n\nAnother problem is that sys_prlimit64() can race with mt-exec which changes\n-\u003egroup_leader. In this case do_prlimit() may take the wrong lock, or (worse)\n-\u003egroup_leader may change between task_lock() and task_unlock().\n\nChange sys_prlimit64() to take tasklist_lock when necessary. This is not\nnice, but I don\u0027t see a better fix for -stable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:42.955Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1bc0d9315ef5296abb2c9fd840336255850ded18"
        },
        {
          "url": "https://git.kernel.org/stable/c/132f827e7bac7373e1522e89709d70b43cae5342"
        },
        {
          "url": "https://git.kernel.org/stable/c/19b45c84bd9fd42fa97ff80c6350d604cb871c75"
        },
        {
          "url": "https://git.kernel.org/stable/c/6796412decd2d8de8ec708213bbc958fab72f143"
        },
        {
          "url": "https://git.kernel.org/stable/c/a15f37a40145c986cdf289a4b88390f35efdecc4"
        }
      ],
      "title": "kernel/sys.c: fix the racy usage of task_lock(tsk-\u003egroup_leader) in sys_prlimit64() paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40201",
    "datePublished": "2025-11-12T21:56:34.063Z",
    "dateReserved": "2025-04-16T07:20:57.178Z",
    "dateUpdated": "2026-05-11T21:44:42.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40202 (GCVE-0-2025-40202)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

ipmi: Rework user message limit handling

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It's a lot cleaner and safer.

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/f63723ca7d7623f9d…
https://git.kernel.org/stable/c/348121b29594d42d1…
https://git.kernel.org/stable/c/53d6e403affbf6df2…
https://git.kernel.org/stable/c/0ed73be9a2547ffb9…
https://git.kernel.org/stable/c/b52da4054ee0bf9ec…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < f63723ca7d7623f9dae1990973cd158671f03c56 (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < 348121b29594d42d1635648fd3ed31dfa25351d5 (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < 53d6e403affbf6df2c859a0ea00ccfc1e72090ca (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < 0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5 (git) Affected: 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 , < b52da4054ee0bf9ecb44996f2c83236ff50b3812 (git)
Linux	Linux	Affected: 5.19 Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_msghandler.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f63723ca7d7623f9dae1990973cd158671f03c56",
              "status": "affected",
              "version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
              "versionType": "git"
            },
            {
              "lessThan": "348121b29594d42d1635648fd3ed31dfa25351d5",
              "status": "affected",
              "version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
              "versionType": "git"
            },
            {
              "lessThan": "53d6e403affbf6df2c859a0ea00ccfc1e72090ca",
              "status": "affected",
              "version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
              "versionType": "git"
            },
            {
              "lessThan": "0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5",
              "status": "affected",
              "version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
              "versionType": "git"
            },
            {
              "lessThan": "b52da4054ee0bf9ecb44996f2c83236ff50b3812",
              "status": "affected",
              "version": "8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/char/ipmi/ipmi_msghandler.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: Rework user message limit handling\n\nThe limit on the number of user messages had a number of issues,\nimproper counting in some cases and a use after free.\n\nRestructure how this is all done to handle more in the receive message\nallocation routine, so all refcouting and user message limit counts\nare done in that routine.  It\u0027s a lot cleaner and safer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:44.093Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f63723ca7d7623f9dae1990973cd158671f03c56"
        },
        {
          "url": "https://git.kernel.org/stable/c/348121b29594d42d1635648fd3ed31dfa25351d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/53d6e403affbf6df2c859a0ea00ccfc1e72090ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ed73be9a2547ffb9b5c1d879ad9bfab73d920b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b52da4054ee0bf9ecb44996f2c83236ff50b3812"
        }
      ],
      "title": "ipmi: Rework user message limit handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40202",
    "datePublished": "2025-11-12T21:56:34.527Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2026-05-11T21:44:44.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40204 (GCVE-0-2025-40204)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

sctp: Fix MAC comparison to be constant-time

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/b93fa8dc521d00d2d…
https://git.kernel.org/stable/c/0e8b8c326c2a6de4d…
https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62…
https://git.kernel.org/stable/c/9c05d44ec24126fc2…
https://git.kernel.org/stable/c/ed3044b9c810c5c24…
https://git.kernel.org/stable/c/8019b3699289fce3f…
https://git.kernel.org/stable/c/0b32ff285ff6f6f1a…
https://git.kernel.org/stable/c/dd91c79e4f58fbe28…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b93fa8dc521d00d2d44bf034fb90e0d79b036617 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0e8b8c326c2a6de4d837b1bb034ea704f4690d77 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c05d44ec24126fc283835b68f82dba3ae985209 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8019b3699289fce3f10b63f98601db97b8d105b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b32ff285ff6f6f1ac1d9495787ccce8837d6405 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd91c79e4f58fbe2898dac84858033700e0e99fb (git)
Linux	Linux	Affected: 2.6.12 Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_make_chunk.c",
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_make_chunk.c",
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:46.460Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
        }
      ],
      "title": "sctp: Fix MAC comparison to be constant-time",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40204",
    "datePublished": "2025-11-12T21:56:35.110Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2026-05-11T21:44:46.460Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40205 (GCVE-0-2025-40205)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

btrfs: avoid potential out-of-bounds in btrfs_encode_fh()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT (10 dwords, 40 bytes). If *max_len is not large enough, this write goes out of bounds because BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than BTRFS_FID_SIZE_CONNECTABLE originally returned. This results in an 8-byte out-of-bounds write at fid->parent_root_objectid = parent_root_id. A previous attempt to fix this issue was made but was lost. https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ Although this issue does not seem to be easily triggerable, it is a potential memory corruption bug that should be fixed. This patch resolves the issue by ensuring the function returns the appropriate size for all three cases and validates that *max_len is large enough before writing any data.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/60de2f55d2aca53e8…
https://git.kernel.org/stable/c/742b44342204e5dfe…
https://git.kernel.org/stable/c/d3a9a8e1275eb9b87…
https://git.kernel.org/stable/c/d91f6626133698362…
https://git.kernel.org/stable/c/0276c8582488022f0…
https://git.kernel.org/stable/c/361d67276eb8ec6be…
https://git.kernel.org/stable/c/43143776b0a7604d8…
https://git.kernel.org/stable/c/dff4f9ff5d7f289e4…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 742b44342204e5dfe3926433823623c1a0c581df (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < d3a9a8e1275eb9b87f006b5562a287aea3f6885f (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < d91f6626133698362bba08fbc04bd72c466806d3 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 0276c8582488022f057b4cec21975a5edf079f47 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 361d67276eb8ec6be8f27f4ad6c6090459438fee (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < 43143776b0a7604d873d1a6f3e552a00aa930224 (git) Affected: be6e8dc0ba84029997075a1ec77b4ddb863cbe15 , < dff4f9ff5d7f289e4545cc936362e01ed3252742 (git)
Linux	Linux	Affected: 2.6.29 Unaffected: 0 , < 2.6.29 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "742b44342204e5dfe3926433823623c1a0c581df",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "d3a9a8e1275eb9b87f006b5562a287aea3f6885f",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "d91f6626133698362bba08fbc04bd72c466806d3",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "0276c8582488022f057b4cec21975a5edf079f47",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "361d67276eb8ec6be8f27f4ad6c6090459438fee",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "43143776b0a7604d873d1a6f3e552a00aa930224",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            },
            {
              "lessThan": "dff4f9ff5d7f289e4545cc936362e01ed3252742",
              "status": "affected",
              "version": "be6e8dc0ba84029997075a1ec77b4ddb863cbe15",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n\nThe function btrfs_encode_fh() does not properly account for the three\ncases it handles.\n\nBefore writing to the file handle (fh), the function only returns to the\nuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or\nBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).\n\nHowever, when a parent exists and the root ID of the parent and the\ninode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT\n(10 dwords, 40 bytes).\n\nIf *max_len is not large enough, this write goes out of bounds because\nBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than\nBTRFS_FID_SIZE_CONNECTABLE originally returned.\n\nThis results in an 8-byte out-of-bounds write at\nfid-\u003eparent_root_objectid = parent_root_id.\n\nA previous attempt to fix this issue was made but was lost.\n\nhttps://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/\n\nAlthough this issue does not seem to be easily triggerable, it is a\npotential memory corruption bug that should be fixed. This patch\nresolves the issue by ensuring the function returns the appropriate size\nfor all three cases and validates that *max_len is large enough before\nwriting any data."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:47.629Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/60de2f55d2aca53e81b4ef2a67d7cc9e1eb677db"
        },
        {
          "url": "https://git.kernel.org/stable/c/742b44342204e5dfe3926433823623c1a0c581df"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3a9a8e1275eb9b87f006b5562a287aea3f6885f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d91f6626133698362bba08fbc04bd72c466806d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0276c8582488022f057b4cec21975a5edf079f47"
        },
        {
          "url": "https://git.kernel.org/stable/c/361d67276eb8ec6be8f27f4ad6c6090459438fee"
        },
        {
          "url": "https://git.kernel.org/stable/c/43143776b0a7604d873d1a6f3e552a00aa930224"
        },
        {
          "url": "https://git.kernel.org/stable/c/dff4f9ff5d7f289e4545cc936362e01ed3252742"
        }
      ],
      "title": "btrfs: avoid potential out-of-bounds in btrfs_encode_fh()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40205",
    "datePublished": "2025-11-12T21:56:35.403Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2026-05-11T21:44:47.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40207 (GCVE-0-2025-40207)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-05-11 21:44

Title

media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()

Summary

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try().

Severity

No CVSS data available.

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/5b0057459cdc243ff…
https://git.kernel.org/stable/c/ed30811fbed40751d…
https://git.kernel.org/stable/c/94e6336dc1f06a06f…
https://git.kernel.org/stable/c/a553530b3314a0bdc…
https://git.kernel.org/stable/c/f37df9a0eb5e43fcf…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < 5b0057459cdc243ffb35617603142dcace09c711 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < ed30811fbed40751deb952bde534aa2632dc0bf7 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < 94e6336dc1f06a06f5b4cd04d4a012bba34f2857 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < a553530b3314a0bdc98cf114cdbe204551a70a00 (git) Affected: 982c0487185bd466059ff618f398a8d074ddb654 , < f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e (git)
Linux	Linux	Affected: 6.0 Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.157 , ≤ 6.1.* (semver) Unaffected: 6.6.113 , ≤ 6.6.* (semver) Unaffected: 6.12.54 , ≤ 6.12.* (semver) Unaffected: 6.17.4 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/media/v4l2-subdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b0057459cdc243ffb35617603142dcace09c711",
              "status": "affected",
              "version": "982c0487185bd466059ff618f398a8d074ddb654",
              "versionType": "git"
            },
            {
              "lessThan": "ed30811fbed40751deb952bde534aa2632dc0bf7",
              "status": "affected",
              "version": "982c0487185bd466059ff618f398a8d074ddb654",
              "versionType": "git"
            },
            {
              "lessThan": "94e6336dc1f06a06f5b4cd04d4a012bba34f2857",
              "status": "affected",
              "version": "982c0487185bd466059ff618f398a8d074ddb654",
              "versionType": "git"
            },
            {
              "lessThan": "a553530b3314a0bdc98cf114cdbe204551a70a00",
              "status": "affected",
              "version": "982c0487185bd466059ff618f398a8d074ddb654",
              "versionType": "git"
            },
            {
              "lessThan": "f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e",
              "status": "affected",
              "version": "982c0487185bd466059ff618f398a8d074ddb654",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/media/v4l2-subdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()\n\nv4l2_subdev_call_state_try() macro allocates a subdev state with\n__v4l2_subdev_state_alloc(), but does not check the returned value. If\n__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would\ncause v4l2_subdev_call_state_try() to crash.\n\nAdd proper error handling to v4l2_subdev_call_state_try()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:44:50.064Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b0057459cdc243ffb35617603142dcace09c711"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed30811fbed40751deb952bde534aa2632dc0bf7"
        },
        {
          "url": "https://git.kernel.org/stable/c/94e6336dc1f06a06f5b4cd04d4a012bba34f2857"
        },
        {
          "url": "https://git.kernel.org/stable/c/a553530b3314a0bdc98cf114cdbe204551a70a00"
        },
        {
          "url": "https://git.kernel.org/stable/c/f37df9a0eb5e43fcfe02cbaef076123dc0d79c7e"
        }
      ],
      "title": "media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40207",
    "datePublished": "2025-11-12T21:56:35.988Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2026-05-11T21:44:50.064Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-1048

Solutions

CVE-2025-40197 (GCVE-0-2025-40197)

CVE-2025-40198 (GCVE-0-2025-40198)

CVE-2025-40200 (GCVE-0-2025-40200)

CVE-2025-40201 (GCVE-0-2025-40201)

CVE-2025-40202 (GCVE-0-2025-40202)

CVE-2025-40204 (GCVE-0-2025-40204)

CVE-2025-40205 (GCVE-0-2025-40205)

CVE-2025-40207 (GCVE-0-2025-40207)

Tags

Sightings

Nomenclature