Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1054
Vulnerability from certfr_avis - Published: 2025-12-01 - Updated: 2025-12-01
De multiples vulnérabilités ont été découvertes dans les produits VMware. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| VMware | Tanzu Kubernetes Runtime | Stemcells (Ubuntu Jammy) versions antérieures à 1.954.x | ||
| VMware | Tanzu Application Service | Stemcells (Ubuntu Noble) versions antérieures à 1.134.x | ||
| VMware | Tanzu Operations Manager | Tanzu Platform versions antérieures à 3.1.5-build.398 | ||
| VMware | Tanzu Operations Manager | Tanzu Platform versions antérieures à 3.2.1-build.271 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Stemcells (Ubuntu Jammy) versions ant\u00e9rieures \u00e0 1.954.x",
"product": {
"name": "Tanzu Kubernetes Runtime",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Stemcells (Ubuntu Noble) versions ant\u00e9rieures \u00e0 1.134.x",
"product": {
"name": "Tanzu Application Service",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu Platform versions ant\u00e9rieures \u00e0 3.1.5-build.398",
"product": {
"name": "Tanzu Operations Manager",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu Platform versions ant\u00e9rieures \u00e0 3.2.1-build.271",
"product": {
"name": "Tanzu Operations Manager",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-1343",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1343"
},
{
"name": "CVE-2023-0216",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0216"
},
{
"name": "CVE-2022-1473",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1473"
},
{
"name": "CVE-2023-40217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40217"
},
{
"name": "CVE-2023-0401",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0401"
},
{
"name": "CVE-2025-38328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38328"
},
{
"name": "CVE-2024-11168",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11168"
},
{
"name": "CVE-2025-38100",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38100"
},
{
"name": "CVE-2025-38108",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38108"
},
{
"name": "CVE-2025-38230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38230"
},
{
"name": "CVE-2025-38229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38229"
},
{
"name": "CVE-2025-38147",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38147"
},
{
"name": "CVE-2024-26896",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26896"
},
{
"name": "CVE-2025-38286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38286"
},
{
"name": "CVE-2025-38515",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38515"
},
{
"name": "CVE-2025-38163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38163"
},
{
"name": "CVE-2025-38444",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38444"
},
{
"name": "CVE-2024-26700",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26700"
},
{
"name": "CVE-2022-4304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4304"
},
{
"name": "CVE-2025-38157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38157"
},
{
"name": "CVE-2025-38323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38323"
},
{
"name": "CVE-2025-38219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38219"
},
{
"name": "CVE-2025-38466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38466"
},
{
"name": "CVE-2022-1292",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1292"
},
{
"name": "CVE-2025-6069",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6069"
},
{
"name": "CVE-2023-3817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3817"
},
{
"name": "CVE-2024-6232",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6232"
},
{
"name": "CVE-2025-38313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38313"
},
{
"name": "CVE-2025-38336",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38336"
},
{
"name": "CVE-2025-38375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38375"
},
{
"name": "CVE-2025-4330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4330"
},
{
"name": "CVE-2024-26726",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26726"
},
{
"name": "CVE-2023-52593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52593"
},
{
"name": "CVE-2024-9287",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9287"
},
{
"name": "CVE-2024-44939",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44939"
},
{
"name": "CVE-2025-4138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4138"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2023-36632",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36632"
},
{
"name": "CVE-2025-38112",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38112"
},
{
"name": "CVE-2023-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
},
{
"name": "CVE-2025-38203",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38203"
},
{
"name": "CVE-2025-38387",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38387"
},
{
"name": "CVE-2025-38362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38362"
},
{
"name": "CVE-2025-38371",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38371"
},
{
"name": "CVE-2025-38445",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38445"
},
{
"name": "CVE-2023-4807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4807"
},
{
"name": "CVE-2025-38461",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38461"
},
{
"name": "CVE-2024-13176",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13176"
},
{
"name": "CVE-2025-38159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38159"
},
{
"name": "CVE-2025-38305",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38305"
},
{
"name": "CVE-2025-38067",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38067"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2022-2068",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2068"
},
{
"name": "CVE-2025-38401",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38401"
},
{
"name": "CVE-2023-0466",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0466"
},
{
"name": "CVE-2025-0938",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0938"
},
{
"name": "CVE-2025-38102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38102"
},
{
"name": "CVE-2023-0465",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0465"
},
{
"name": "CVE-2022-4203",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4203"
},
{
"name": "CVE-2025-37958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37958"
},
{
"name": "CVE-2025-38399",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38399"
},
{
"name": "CVE-2025-38459",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38459"
},
{
"name": "CVE-2025-38412",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38412"
},
{
"name": "CVE-2025-38293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38293"
},
{
"name": "CVE-2025-38184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38184"
},
{
"name": "CVE-2025-38458",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38458"
},
{
"name": "CVE-2025-6297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6297"
},
{
"name": "CVE-2025-38135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38135"
},
{
"name": "CVE-2025-38312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38312"
},
{
"name": "CVE-2025-38464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38464"
},
{
"name": "CVE-2025-38363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38363"
},
{
"name": "CVE-2025-38319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38319"
},
{
"name": "CVE-2023-27043",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27043"
},
{
"name": "CVE-2025-38457",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38457"
},
{
"name": "CVE-2025-38212",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38212"
},
{
"name": "CVE-2023-0217",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0217"
},
{
"name": "CVE-2025-38298",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38298"
},
{
"name": "CVE-2025-38419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38419"
},
{
"name": "CVE-2022-3786",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3786"
},
{
"name": "CVE-2025-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38546"
},
{
"name": "CVE-2025-38211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38211"
},
{
"name": "CVE-2025-38251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38251"
},
{
"name": "CVE-2025-38120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38120"
},
{
"name": "CVE-2025-38285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38285"
},
{
"name": "CVE-2025-8194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8194"
},
{
"name": "CVE-2025-38161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38161"
},
{
"name": "CVE-2025-38115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38115"
},
{
"name": "CVE-2025-1795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1795"
},
{
"name": "CVE-2025-38153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38153"
},
{
"name": "CVE-2025-4517",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4517"
},
{
"name": "CVE-2025-38395",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38395"
},
{
"name": "CVE-2025-38337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38337"
},
{
"name": "CVE-2025-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38727"
},
{
"name": "CVE-2025-38465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38465"
},
{
"name": "CVE-2025-38513",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38513"
},
{
"name": "CVE-2025-38086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38086"
},
{
"name": "CVE-2023-0464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
},
{
"name": "CVE-2025-38441",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38441"
},
{
"name": "CVE-2025-38227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38227"
},
{
"name": "CVE-2025-4435",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4435"
},
{
"name": "CVE-2024-57883",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57883"
},
{
"name": "CVE-2024-5535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5535"
},
{
"name": "CVE-2025-38074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38074"
},
{
"name": "CVE-2025-38119",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38119"
},
{
"name": "CVE-2025-38245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38245"
},
{
"name": "CVE-2025-38324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38324"
},
{
"name": "CVE-2024-12718",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12718"
},
{
"name": "CVE-2024-0450",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0450"
},
{
"name": "CVE-2025-38542",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38542"
},
{
"name": "CVE-2025-38344",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38344"
},
{
"name": "CVE-2025-38088",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38088"
},
{
"name": "CVE-2025-38332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38332"
},
{
"name": "CVE-2025-38386",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38386"
},
{
"name": "CVE-2025-38237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38237"
},
{
"name": "CVE-2025-38174",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38174"
},
{
"name": "CVE-2025-21888",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21888"
},
{
"name": "CVE-2025-38342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38342"
},
{
"name": "CVE-2025-38167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38167"
},
{
"name": "CVE-2025-38257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38257"
},
{
"name": "CVE-2025-38206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38206"
},
{
"name": "CVE-2025-38111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38111"
},
{
"name": "CVE-2025-38326",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38326"
},
{
"name": "CVE-2025-12818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12818"
},
{
"name": "CVE-2025-38384",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38384"
},
{
"name": "CVE-2025-38424",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38424"
},
{
"name": "CVE-2025-38430",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38430"
},
{
"name": "CVE-2024-9143",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9143"
},
{
"name": "CVE-2025-38420",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38420"
},
{
"name": "CVE-2025-38160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38160"
},
{
"name": "CVE-2025-38107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38107"
},
{
"name": "CVE-2025-38085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38085"
},
{
"name": "CVE-2025-38222",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38222"
},
{
"name": "CVE-2025-38197",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38197"
},
{
"name": "CVE-2025-38467",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38467"
},
{
"name": "CVE-2023-6237",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6237"
},
{
"name": "CVE-2022-4450",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4450"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2025-38122",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38122"
},
{
"name": "CVE-2024-7592",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7592"
},
{
"name": "CVE-2023-2650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2650"
},
{
"name": "CVE-2025-38173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38173"
},
{
"name": "CVE-2025-38143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38143"
},
{
"name": "CVE-2022-3996",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3996"
},
{
"name": "CVE-2025-38416",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38416"
},
{
"name": "CVE-2025-38194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38194"
},
{
"name": "CVE-2024-0727",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0727"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2025-12817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12817"
},
{
"name": "CVE-2025-38348",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38348"
},
{
"name": "CVE-2025-38540",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38540"
},
{
"name": "CVE-2025-38403",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38403"
},
{
"name": "CVE-2025-38146",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38146"
},
{
"name": "CVE-2025-38418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38418"
},
{
"name": "CVE-2025-38090",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38090"
},
{
"name": "CVE-2025-40300",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40300"
},
{
"name": "CVE-2025-38415",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38415"
},
{
"name": "CVE-2024-6119",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6119"
},
{
"name": "CVE-2024-0397",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0397"
},
{
"name": "CVE-2023-1255",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1255"
},
{
"name": "CVE-2024-12254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12254"
},
{
"name": "CVE-2025-8114",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8114"
},
{
"name": "CVE-2025-38193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38193"
},
{
"name": "CVE-2025-38400",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38400"
},
{
"name": "CVE-2024-26775",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26775"
},
{
"name": "CVE-2025-4516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4516"
},
{
"name": "CVE-2025-38136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38136"
},
{
"name": "CVE-2022-3358",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3358"
},
{
"name": "CVE-2022-2097",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2097"
},
{
"name": "CVE-2024-4603",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4603"
},
{
"name": "CVE-2025-38477",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38477"
},
{
"name": "CVE-2025-30722",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30722"
},
{
"name": "CVE-2024-50602",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50602"
},
{
"name": "CVE-2025-38185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38185"
},
{
"name": "CVE-2025-38406",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38406"
},
{
"name": "CVE-2025-38352",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38352"
},
{
"name": "CVE-2025-38263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38263"
},
{
"name": "CVE-2025-9230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9230"
},
{
"name": "CVE-2025-38214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38214"
},
{
"name": "CVE-2025-38218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38218"
},
{
"name": "CVE-2024-4741",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4741"
},
{
"name": "CVE-2025-38393",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38393"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2025-38249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38249"
},
{
"name": "CVE-2022-48703",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48703"
},
{
"name": "CVE-2025-38154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38154"
},
{
"name": "CVE-2025-38389",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38389"
},
{
"name": "CVE-2025-38448",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38448"
},
{
"name": "CVE-2025-38377",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38377"
},
{
"name": "CVE-2025-38516",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38516"
},
{
"name": "CVE-2025-30693",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30693"
},
{
"name": "CVE-2025-38462",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38462"
},
{
"name": "CVE-2025-38428",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38428"
},
{
"name": "CVE-2025-38262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38262"
},
{
"name": "CVE-2025-38138",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38138"
},
{
"name": "CVE-2023-2975",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2975"
},
{
"name": "CVE-2025-38310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38310"
},
{
"name": "CVE-2022-3602",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3602"
},
{
"name": "CVE-2025-37963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37963"
},
{
"name": "CVE-2025-38226",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38226"
},
{
"name": "CVE-2025-38443",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38443"
},
{
"name": "CVE-2025-38439",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38439"
},
{
"name": "CVE-2022-1434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1434"
},
{
"name": "CVE-2025-38190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38190"
},
{
"name": "CVE-2025-38180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38180"
},
{
"name": "CVE-2025-38145",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38145"
},
{
"name": "CVE-2024-4032",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-4032"
},
{
"name": "CVE-2025-37948",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37948"
},
{
"name": "CVE-2025-8058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8058"
},
{
"name": "CVE-2025-38498",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38498"
},
{
"name": "CVE-2025-38200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38200"
},
{
"name": "CVE-2025-38273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38273"
},
{
"name": "CVE-2025-38346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38346"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2024-2511",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-2511"
},
{
"name": "CVE-2025-38320",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38320"
},
{
"name": "CVE-2025-38280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38280"
},
{
"name": "CVE-2025-38084",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38084"
},
{
"name": "CVE-2025-38103",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38103"
},
{
"name": "CVE-2025-38514",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38514"
},
{
"name": "CVE-2025-38204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38204"
},
{
"name": "CVE-2023-5678",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
},
{
"name": "CVE-2025-38410",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38410"
},
{
"name": "CVE-2023-6597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6597"
},
{
"name": "CVE-2025-38460",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38460"
},
{
"name": "CVE-2025-38345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38345"
},
{
"name": "CVE-2025-38231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38231"
},
{
"name": "CVE-2025-38181",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38181"
},
{
"name": "CVE-2025-38391",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38391"
},
{
"name": "CVE-2024-6923",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6923"
},
{
"name": "CVE-2024-8088",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8088"
}
],
"initial_release_date": "2025-12-01T00:00:00",
"last_revision_date": "2025-12-01T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1054",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-01T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits VMware. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits VMware",
"vendor_advisories": [
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36558",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36558"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36554",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36554"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36552",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36552"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36559",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36559"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36557",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36557"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36556",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36556"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36553",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36553"
},
{
"published_at": "2025-11-30",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36555",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36555"
}
]
}
CVE-2025-38346 (GCVE-0-2025-38346)
Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
ftrace: Fix UAF when lookup kallsym after ftrace disabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix UAF when lookup kallsym after ftrace disabled
The following issue happens with a buggy module:
BUG: unable to handle page fault for address: ffffffffc05d0218
PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0
Oops: Oops: 0000 [#1] SMP KASAN PTI
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
RIP: 0010:sized_strscpy+0x81/0x2f0
RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000
RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d
RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68
R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038
R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff
FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ftrace_mod_get_kallsym+0x1ac/0x590
update_iter_mod+0x239/0x5b0
s_next+0x5b/0xa0
seq_read_iter+0x8c9/0x1070
seq_read+0x249/0x3b0
proc_reg_read+0x1b0/0x280
vfs_read+0x17f/0x920
ksys_read+0xf3/0x1c0
do_syscall_64+0x5f/0x2e0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue may happen as follows:
(1) Add kprobe tracepoint;
(2) insmod test.ko;
(3) Module triggers ftrace disabled;
(4) rmmod test.ko;
(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;
ftrace_mod_get_kallsym()
...
strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
...
The problem is when a module triggers an issue with ftrace and
sets ftrace_disable. The ftrace_disable is set when an anomaly is
discovered and to prevent any more damage, ftrace stops all text
modification. The issue that happened was that the ftrace_disable stops
more than just the text modification.
When a module is loaded, its init functions can also be traced. Because
kallsyms deletes the init functions after a module has loaded, ftrace
saves them when the module is loaded and function tracing is enabled. This
allows the output of the function trace to show the init function names
instead of just their raw memory addresses.
When a module is removed, ftrace_release_mod() is called, and if
ftrace_disable is set, it just returns without doing anything more. The
problem here is that it leaves the mod_list still around and if kallsyms
is called, it will call into this code and access the module memory that
has already been freed as it will return:
strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
Where the "mod" no longer exists and triggers a UAF bug.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
aba4b5c22cbac296f4081a0476d0c55828f135b4 , < d064c68781c19f378af1ae741d9132d35d24b2bb
(git)
Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 8690cd3258455bbae64f809e1d3ee0f043661c71 (git) Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 6805582abb720681dd1c87ff677f155dcf4e86c9 (git) Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 03a162933c4a03b9f1a84f7d8482903c7e1e11bb (git) Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 83a692a9792aa86249d68a8ac0b9d55ecdd255fa (git) Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < 8e89c17dc8970c5f71a3a991f5724d4c8de42d8c (git) Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < f78a786ad9a5443a29eef4dae60cde85b7375129 (git) Affected: aba4b5c22cbac296f4081a0476d0c55828f135b4 , < f914b52c379c12288b7623bb814d0508dbe7481d (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:36:55.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d064c68781c19f378af1ae741d9132d35d24b2bb",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "8690cd3258455bbae64f809e1d3ee0f043661c71",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "6805582abb720681dd1c87ff677f155dcf4e86c9",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "03a162933c4a03b9f1a84f7d8482903c7e1e11bb",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "83a692a9792aa86249d68a8ac0b9d55ecdd255fa",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "8e89c17dc8970c5f71a3a991f5724d4c8de42d8c",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "f78a786ad9a5443a29eef4dae60cde85b7375129",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
},
{
"lessThan": "f914b52c379c12288b7623bb814d0508dbe7481d",
"status": "affected",
"version": "aba4b5c22cbac296f4081a0476d0c55828f135b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ftrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix UAF when lookup kallsym after ftrace disabled\n\nThe following issue happens with a buggy module:\n\nBUG: unable to handle page fault for address: ffffffffc05d0218\nPGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0\nOops: Oops: 0000 [#1] SMP KASAN PTI\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nRIP: 0010:sized_strscpy+0x81/0x2f0\nRSP: 0018:ffff88812d76fa08 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000\nRDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d\nRBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68\nR10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038\nR13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff\nFS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ftrace_mod_get_kallsym+0x1ac/0x590\n update_iter_mod+0x239/0x5b0\n s_next+0x5b/0xa0\n seq_read_iter+0x8c9/0x1070\n seq_read+0x249/0x3b0\n proc_reg_read+0x1b0/0x280\n vfs_read+0x17f/0x920\n ksys_read+0xf3/0x1c0\n do_syscall_64+0x5f/0x2e0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe above issue may happen as follows:\n(1) Add kprobe tracepoint;\n(2) insmod test.ko;\n(3) Module triggers ftrace disabled;\n(4) rmmod test.ko;\n(5) cat /proc/kallsyms; --\u003e Will trigger UAF as test.ko already removed;\nftrace_mod_get_kallsym()\n...\nstrscpy(module_name, mod_map-\u003emod-\u003ename, MODULE_NAME_LEN);\n...\n\nThe problem is when a module triggers an issue with ftrace and\nsets ftrace_disable. The ftrace_disable is set when an anomaly is\ndiscovered and to prevent any more damage, ftrace stops all text\nmodification. The issue that happened was that the ftrace_disable stops\nmore than just the text modification.\n\nWhen a module is loaded, its init functions can also be traced. Because\nkallsyms deletes the init functions after a module has loaded, ftrace\nsaves them when the module is loaded and function tracing is enabled. This\nallows the output of the function trace to show the init function names\ninstead of just their raw memory addresses.\n\nWhen a module is removed, ftrace_release_mod() is called, and if\nftrace_disable is set, it just returns without doing anything more. The\nproblem here is that it leaves the mod_list still around and if kallsyms\nis called, it will call into this code and access the module memory that\nhas already been freed as it will return:\n\n strscpy(module_name, mod_map-\u003emod-\u003ename, MODULE_NAME_LEN);\n\nWhere the \"mod\" no longer exists and triggers a UAF bug."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:12.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d064c68781c19f378af1ae741d9132d35d24b2bb"
},
{
"url": "https://git.kernel.org/stable/c/8690cd3258455bbae64f809e1d3ee0f043661c71"
},
{
"url": "https://git.kernel.org/stable/c/6805582abb720681dd1c87ff677f155dcf4e86c9"
},
{
"url": "https://git.kernel.org/stable/c/03a162933c4a03b9f1a84f7d8482903c7e1e11bb"
},
{
"url": "https://git.kernel.org/stable/c/83a692a9792aa86249d68a8ac0b9d55ecdd255fa"
},
{
"url": "https://git.kernel.org/stable/c/8e89c17dc8970c5f71a3a991f5724d4c8de42d8c"
},
{
"url": "https://git.kernel.org/stable/c/f78a786ad9a5443a29eef4dae60cde85b7375129"
},
{
"url": "https://git.kernel.org/stable/c/f914b52c379c12288b7623bb814d0508dbe7481d"
}
],
"title": "ftrace: Fix UAF when lookup kallsym after ftrace disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38346",
"datePublished": "2025-07-10T08:15:14.290Z",
"dateReserved": "2025-04-16T04:51:24.006Z",
"dateUpdated": "2026-05-11T21:26:12.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38348 (GCVE-0-2025-38348)
Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
Robert Morris reported:
|If a malicious USB device pretends to be an Intersil p54 wifi
|interface and generates an eeprom_readback message with a large
|eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the
|message beyond the end of priv->eeprom.
|
|static void p54_rx_eeprom_readback(struct p54_common *priv,
| struct sk_buff *skb)
|{
| struct p54_hdr *hdr = (struct p54_hdr *) skb->data;
| struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data;
|
| if (priv->fw_var >= 0x509) {
| memcpy(priv->eeprom, eeprom->v2.data,
| le16_to_cpu(eeprom->v2.len));
| } else {
| memcpy(priv->eeprom, eeprom->v1.data,
| le16_to_cpu(eeprom->v1.len));
| }
| [...]
The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom().
The device is supposed to provide the same length back to the driver.
But yes, it's possible (like shown in the report) to alter the value
to something that causes a crash/panic due to overrun.
This patch addresses the issue by adding the size to the common device
context, so p54_rx_eeprom_readback no longer relies on possibly tampered
values... That said, it also checks if the "firmware" altered the value
and no longer copies them.
The one, small saving grace is: Before the driver tries to read the eeprom,
it needs to upload >a< firmware. the vendor firmware has a proprietary
license and as a reason, it is not present on most distributions by
default.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7cb770729ba895f73253dfcd46c3fcba45d896f9 , < 12134f79e53eb56b0b0b7447fa0c512acf6a8422
(git)
Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < 9701f842031b825e2fd5f22d064166f8f13f6e4d (git) Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < 1f7f8168abe8cbe845ab8bb557228d44784a6b57 (git) Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < f39b2f8c1549a539846e083790fad396ef6cd802 (git) Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < 0e4dc150423b829c35cbcf399481ca11594fc036 (git) Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < 6d05390d20f110de37d051a3e063ef0a542d01fb (git) Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < 714afb4c38edd19a057d519c1f9c5d164b43de94 (git) Affected: 7cb770729ba895f73253dfcd46c3fcba45d896f9 , < da1b9a55ff116cb040528ef664c70a4eec03ae99 (git) |
|
| Linux | Linux |
Affected:
2.6.28
Unaffected: 0 , < 2.6.28 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.35 , ≤ 6.12.* (semver) Unaffected: 6.15.4 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:36:58.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intersil/p54/fwio.c",
"drivers/net/wireless/intersil/p54/p54.h",
"drivers/net/wireless/intersil/p54/txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "12134f79e53eb56b0b0b7447fa0c512acf6a8422",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "9701f842031b825e2fd5f22d064166f8f13f6e4d",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "1f7f8168abe8cbe845ab8bb557228d44784a6b57",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "f39b2f8c1549a539846e083790fad396ef6cd802",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "0e4dc150423b829c35cbcf399481ca11594fc036",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "6d05390d20f110de37d051a3e063ef0a542d01fb",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "714afb4c38edd19a057d519c1f9c5d164b43de94",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
},
{
"lessThan": "da1b9a55ff116cb040528ef664c70a4eec03ae99",
"status": "affected",
"version": "7cb770729ba895f73253dfcd46c3fcba45d896f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intersil/p54/fwio.c",
"drivers/net/wireless/intersil/p54/p54.h",
"drivers/net/wireless/intersil/p54/txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()\n\nRobert Morris reported:\n\n|If a malicious USB device pretends to be an Intersil p54 wifi\n|interface and generates an eeprom_readback message with a large\n|eeprom-\u003ev1.len, p54_rx_eeprom_readback() will copy data from the\n|message beyond the end of priv-\u003eeeprom.\n|\n|static void p54_rx_eeprom_readback(struct p54_common *priv,\n| struct sk_buff *skb)\n|{\n| struct p54_hdr *hdr = (struct p54_hdr *) skb-\u003edata;\n| struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr-\u003edata;\n|\n| if (priv-\u003efw_var \u003e= 0x509) {\n| memcpy(priv-\u003eeeprom, eeprom-\u003ev2.data,\n| le16_to_cpu(eeprom-\u003ev2.len));\n| } else {\n| memcpy(priv-\u003eeeprom, eeprom-\u003ev1.data,\n| le16_to_cpu(eeprom-\u003ev1.len));\n| }\n| [...]\n\nThe eeprom-\u003ev{1,2}.len is set by the driver in p54_download_eeprom().\nThe device is supposed to provide the same length back to the driver.\nBut yes, it\u0027s possible (like shown in the report) to alter the value\nto something that causes a crash/panic due to overrun.\n\nThis patch addresses the issue by adding the size to the common device\ncontext, so p54_rx_eeprom_readback no longer relies on possibly tampered\nvalues... That said, it also checks if the \"firmware\" altered the value\nand no longer copies them.\n\nThe one, small saving grace is: Before the driver tries to read the eeprom,\nit needs to upload \u003ea\u003c firmware. the vendor firmware has a proprietary\nlicense and as a reason, it is not present on most distributions by\ndefault."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:15.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/12134f79e53eb56b0b0b7447fa0c512acf6a8422"
},
{
"url": "https://git.kernel.org/stable/c/9701f842031b825e2fd5f22d064166f8f13f6e4d"
},
{
"url": "https://git.kernel.org/stable/c/1f7f8168abe8cbe845ab8bb557228d44784a6b57"
},
{
"url": "https://git.kernel.org/stable/c/f39b2f8c1549a539846e083790fad396ef6cd802"
},
{
"url": "https://git.kernel.org/stable/c/0e4dc150423b829c35cbcf399481ca11594fc036"
},
{
"url": "https://git.kernel.org/stable/c/6d05390d20f110de37d051a3e063ef0a542d01fb"
},
{
"url": "https://git.kernel.org/stable/c/714afb4c38edd19a057d519c1f9c5d164b43de94"
},
{
"url": "https://git.kernel.org/stable/c/da1b9a55ff116cb040528ef664c70a4eec03ae99"
}
],
"title": "wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38348",
"datePublished": "2025-07-10T08:15:15.883Z",
"dateReserved": "2025-04-16T04:51:24.006Z",
"dateUpdated": "2026-05-11T21:26:15.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38352 (GCVE-0-2025-38352)
Vulnerability from cvelistv5 – Published: 2025-07-22 08:04 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
Summary
In the Linux kernel, the following vulnerability has been resolved:
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.
Severity
7.4 (High)
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
12 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 78a4b8e3795b31dae58762bc091bb0f4f74a2200
(git)
Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < c076635b3a42771ace7d276de8dc3bc76ee2ba1b (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 2f3daa04a9328220de46f0d5c919a6c0073a9f0b (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 764a7a5dfda23f69919441f2eac2a83e7db6e5bb (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < c29d5318708e67ac13c1b6fc1007d179fb65b4d7 (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < 460188bc042a3f40f72d34b9f7fc6ee66b0b757b (git) Affected: 0bdd2ed4138ec04e09b4f8165981efc99e439f55 , < f90fff1e152dedf52b932240ebbd670d83330eca (git) |
|
| Linux | Linux |
Affected:
2.6.36
Unaffected: 0 , < 2.6.36 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-38352",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-05T03:55:31.566379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:50:25.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-38352"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/farazsth98/chronomaly"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:02.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-cpu-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78a4b8e3795b31dae58762bc091bb0f4f74a2200",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "c076635b3a42771ace7d276de8dc3bc76ee2ba1b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "2f3daa04a9328220de46f0d5c919a6c0073a9f0b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "764a7a5dfda23f69919441f2eac2a83e7db6e5bb",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "c29d5318708e67ac13c1b6fc1007d179fb65b4d7",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "460188bc042a3f40f72d34b9f7fc6ee66b0b757b",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
},
{
"lessThan": "f90fff1e152dedf52b932240ebbd670d83330eca",
"status": "affected",
"version": "0bdd2ed4138ec04e09b4f8165981efc99e439f55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-cpu-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()\n\nIf an exiting non-autoreaping task has already passed exit_notify() and\ncalls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent\nor debugger right after unlock_task_sighand().\n\nIf a concurrent posix_cpu_timer_del() runs at that moment, it won\u0027t be\nable to detect timer-\u003eit.cpu.firing != 0: cpu_timer_task_rcu() and/or\nlock_task_sighand() will fail.\n\nAdd the tsk-\u003eexit_state check into run_posix_cpu_timers() to fix this.\n\nThis fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because\nexit_task_work() is called before exit_notify(). But the check still\nmakes sense, task_work_add(\u0026tsk-\u003eposix_cputimers_work.work) will fail\nanyway in this case."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:19.732Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78a4b8e3795b31dae58762bc091bb0f4f74a2200"
},
{
"url": "https://git.kernel.org/stable/c/c076635b3a42771ace7d276de8dc3bc76ee2ba1b"
},
{
"url": "https://git.kernel.org/stable/c/2f3daa04a9328220de46f0d5c919a6c0073a9f0b"
},
{
"url": "https://git.kernel.org/stable/c/764a7a5dfda23f69919441f2eac2a83e7db6e5bb"
},
{
"url": "https://git.kernel.org/stable/c/2c72fe18cc5f9f1750f5bc148cf1c94c29e106ff"
},
{
"url": "https://git.kernel.org/stable/c/c29d5318708e67ac13c1b6fc1007d179fb65b4d7"
},
{
"url": "https://git.kernel.org/stable/c/460188bc042a3f40f72d34b9f7fc6ee66b0b757b"
},
{
"url": "https://git.kernel.org/stable/c/f90fff1e152dedf52b932240ebbd670d83330eca"
}
],
"title": "posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38352",
"datePublished": "2025-07-22T08:04:25.277Z",
"dateReserved": "2025-04-16T04:51:24.006Z",
"dateUpdated": "2026-05-11T21:26:19.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38362 (GCVE-0-2025-38362)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:47 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
drm/amd/display: Add null pointer check for get_first_active_display()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null pointer check for get_first_active_display()
The function mod_hdcp_hdcp1_enable_encryption() calls the function
get_first_active_display(), but does not check its return value.
The return value is a null pointer if the display list is empty.
This will lead to a null pointer dereference in
mod_hdcp_hdcp2_enable_encryption().
Add a null pointer check for get_first_active_display() and return
MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2deade5ede56581722c0d7672f28b09548dc0fc4 , < 34d3e10ab905f06445f8dbd8a3d9697095e71bae
(git)
Affected: 2deade5ede56581722c0d7672f28b09548dc0fc4 , < 1ebcdf38887949def1a553ff3e45c98ed95a3cd0 (git) Affected: 2deade5ede56581722c0d7672f28b09548dc0fc4 , < 5148c7ea69e9c5bf2f05081190f45ba96d3d1e7a (git) Affected: 2deade5ede56581722c0d7672f28b09548dc0fc4 , < 4ce9f2dc9ff7cc410e8c5d936ec551e26b9599a9 (git) Affected: 2deade5ede56581722c0d7672f28b09548dc0fc4 , < b3005145eab98d36777660b8893466e4f630ae1c (git) Affected: 2deade5ede56581722c0d7672f28b09548dc0fc4 , < c3e9826a22027a21d998d3e64882fa377b613006 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.5 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:04.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34d3e10ab905f06445f8dbd8a3d9697095e71bae",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "1ebcdf38887949def1a553ff3e45c98ed95a3cd0",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "5148c7ea69e9c5bf2f05081190f45ba96d3d1e7a",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "4ce9f2dc9ff7cc410e8c5d936ec551e26b9599a9",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "b3005145eab98d36777660b8893466e4f630ae1c",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
},
{
"lessThan": "c3e9826a22027a21d998d3e64882fa377b613006",
"status": "affected",
"version": "2deade5ede56581722c0d7672f28b09548dc0fc4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null pointer check for get_first_active_display()\n\nThe function mod_hdcp_hdcp1_enable_encryption() calls the function\nget_first_active_display(), but does not check its return value.\nThe return value is a null pointer if the display list is empty.\nThis will lead to a null pointer dereference in\nmod_hdcp_hdcp2_enable_encryption().\n\nAdd a null pointer check for get_first_active_display() and return\nMOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:31.259Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34d3e10ab905f06445f8dbd8a3d9697095e71bae"
},
{
"url": "https://git.kernel.org/stable/c/1ebcdf38887949def1a553ff3e45c98ed95a3cd0"
},
{
"url": "https://git.kernel.org/stable/c/5148c7ea69e9c5bf2f05081190f45ba96d3d1e7a"
},
{
"url": "https://git.kernel.org/stable/c/4ce9f2dc9ff7cc410e8c5d936ec551e26b9599a9"
},
{
"url": "https://git.kernel.org/stable/c/b3005145eab98d36777660b8893466e4f630ae1c"
},
{
"url": "https://git.kernel.org/stable/c/c3e9826a22027a21d998d3e64882fa377b613006"
}
],
"title": "drm/amd/display: Add null pointer check for get_first_active_display()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38362",
"datePublished": "2025-07-25T12:47:33.035Z",
"dateReserved": "2025-04-16T04:51:24.008Z",
"dateUpdated": "2026-05-11T21:26:31.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38363 (GCVE-0-2025-38363)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:47 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
drm/tegra: Fix a possible null pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: Fix a possible null pointer dereference
In tegra_crtc_reset(), new memory is allocated with kzalloc(), but
no check is performed. Before calling __drm_atomic_helper_crtc_reset,
state should be checked to prevent possible null pointer dereference.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < ab390ab81241cf8bf37c0a0ac2e9c6606bf3e991
(git)
Affected: b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < c7fc459ae6f988e0d5045a270bd600ab08bc61f1 (git) Affected: b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < 99a25fc7933b88d5e16668bf6ba2d098e1754406 (git) Affected: b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < 5ff3636bcc32e1cb747f6f820bcf2bb6990a7d41 (git) Affected: b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < 31ac2c680a8ac11dc54a5b339a07e138bcedd924 (git) Affected: b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < ac4ca634f0c9f227538711d725339293f7047b02 (git) Affected: b7e0b04ae450a0f2f73c376c3057fb05d798e33c , < 780351a5f61416ed2ba1199cc57e4a076fca644d (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.143 , ≤ 6.1.* (semver) Unaffected: 6.6.96 , ≤ 6.6.* (semver) Unaffected: 6.12.36 , ≤ 6.12.* (semver) Unaffected: 6.15.5 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:06.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/dc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab390ab81241cf8bf37c0a0ac2e9c6606bf3e991",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
},
{
"lessThan": "c7fc459ae6f988e0d5045a270bd600ab08bc61f1",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
},
{
"lessThan": "99a25fc7933b88d5e16668bf6ba2d098e1754406",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
},
{
"lessThan": "5ff3636bcc32e1cb747f6f820bcf2bb6990a7d41",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
},
{
"lessThan": "31ac2c680a8ac11dc54a5b339a07e138bcedd924",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
},
{
"lessThan": "ac4ca634f0c9f227538711d725339293f7047b02",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
},
{
"lessThan": "780351a5f61416ed2ba1199cc57e4a076fca644d",
"status": "affected",
"version": "b7e0b04ae450a0f2f73c376c3057fb05d798e33c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/dc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Fix a possible null pointer dereference\n\nIn tegra_crtc_reset(), new memory is allocated with kzalloc(), but\nno check is performed. Before calling __drm_atomic_helper_crtc_reset,\nstate should be checked to prevent possible null pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:32.438Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab390ab81241cf8bf37c0a0ac2e9c6606bf3e991"
},
{
"url": "https://git.kernel.org/stable/c/c7fc459ae6f988e0d5045a270bd600ab08bc61f1"
},
{
"url": "https://git.kernel.org/stable/c/99a25fc7933b88d5e16668bf6ba2d098e1754406"
},
{
"url": "https://git.kernel.org/stable/c/5ff3636bcc32e1cb747f6f820bcf2bb6990a7d41"
},
{
"url": "https://git.kernel.org/stable/c/31ac2c680a8ac11dc54a5b339a07e138bcedd924"
},
{
"url": "https://git.kernel.org/stable/c/ac4ca634f0c9f227538711d725339293f7047b02"
},
{
"url": "https://git.kernel.org/stable/c/780351a5f61416ed2ba1199cc57e4a076fca644d"
}
],
"title": "drm/tegra: Fix a possible null pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38363",
"datePublished": "2025-07-25T12:47:33.751Z",
"dateReserved": "2025-04-16T04:51:24.008Z",
"dateUpdated": "2026-05-11T21:26:32.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38371 (GCVE-0-2025-38371)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
drm/v3d: Disable interrupts before resetting the GPU
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Disable interrupts before resetting the GPU
Currently, an interrupt can be triggered during a GPU reset, which can
lead to GPU hangs and NULL pointer dereference in an interrupt context
as shown in the following trace:
[ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0
[ 314.043822] Mem abort info:
[ 314.046606] ESR = 0x0000000096000005
[ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits
[ 314.055651] SET = 0, FnV = 0
[ 314.058695] EA = 0, S1PTW = 0
[ 314.061826] FSC = 0x05: level 1 translation fault
[ 314.066694] Data abort info:
[ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000
[ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight
[ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1
[ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)
[ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]
[ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]
[ 314.160198] sp : ffffffc080003ea0
[ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000
[ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0
[ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000
[ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000
[ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000
[ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001
[ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874
[ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180
[ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb
[ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
[ 314.234807] Call trace:
[ 314.237243] v3d_irq+0xec/0x2e0 [v3d]
[ 314.240906] __handle_irq_event_percpu+0x58/0x218
[ 314.245609] handle_irq_event+0x54/0xb8
[ 314.249439] handle_fasteoi_irq+0xac/0x240
[ 314.253527] handle_irq_desc+0x48/0x68
[ 314.257269] generic_handle_domain_irq+0x24/0x38
[ 314.261879] gic_handle_irq+0x48/0xd8
[ 314.265533] call_on_irq_stack+0x24/0x58
[ 314.269448] do_interrupt_handler+0x88/0x98
[ 314.273624] el1_interrupt+0x34/0x68
[ 314.277193] el1h_64_irq_handler+0x18/0x28
[ 314.281281] el1h_64_irq+0x64/0x68
[ 314.284673] default_idle_call+0x3c/0x168
[ 314.288675] do_idle+0x1fc/0x230
[ 314.291895] cpu_startup_entry+0x3c/0x50
[ 314.295810] rest_init+0xe4/0xf0
[ 314.299030] start_kernel+0x5e8/0x790
[ 314.302684] __primary_switched+0x80/0x90
[ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)
[ 314.312775] ---[ end trace 0000000000000000 ]---
[ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 314.324249] SMP: stopping secondary CPUs
[ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000
[ 314.334076] PHYS_OFFSET: 0x0
[ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b
[ 314.342337] Memory Limit: none
[ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
Before resetting the G
---truncated---
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
57692c94dcbe99a1e0444409a3da13fb3443562c , < b9c403d1236cecb10dd0246a30d81e4b265f8e8d
(git)
Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 2446e25e9246e0642a41d91cbf54c33b275da3c3 (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 576a6739e08ac06c67f2916f71204557232388b0 (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < c8851a6ab19d9f390677c42a3cc01ff9b2eb6241 (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 387da3b6d1a90e3210bc9a7fb56703bdad2ac18a (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 9ff95ed0371aec4d9617e478e9c69cde86cd7c38 (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < dc805c927cd832bb8f790b756880ae6c769d5fbc (git) Affected: 57692c94dcbe99a1e0444409a3da13fb3443562c , < 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 (git) |
|
| Linux | Linux |
Affected:
4.18
Unaffected: 0 , < 4.18 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.144 , ≤ 6.1.* (semver) Unaffected: 6.6.97 , ≤ 6.6.* (semver) Unaffected: 6.12.37 , ≤ 6.12.* (semver) Unaffected: 6.15.6 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:10.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_drv.h",
"drivers/gpu/drm/v3d/v3d_gem.c",
"drivers/gpu/drm/v3d/v3d_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9c403d1236cecb10dd0246a30d81e4b265f8e8d",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "2446e25e9246e0642a41d91cbf54c33b275da3c3",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "576a6739e08ac06c67f2916f71204557232388b0",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "c8851a6ab19d9f390677c42a3cc01ff9b2eb6241",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "387da3b6d1a90e3210bc9a7fb56703bdad2ac18a",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "9ff95ed0371aec4d9617e478e9c69cde86cd7c38",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "dc805c927cd832bb8f790b756880ae6c769d5fbc",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
},
{
"lessThan": "226862f50a7a88e4e4de9abbf36c64d19acd6fd0",
"status": "affected",
"version": "57692c94dcbe99a1e0444409a3da13fb3443562c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_drv.h",
"drivers/gpu/drm/v3d/v3d_gem.c",
"drivers/gpu/drm/v3d/v3d_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Disable interrupts before resetting the GPU\n\nCurrently, an interrupt can be triggered during a GPU reset, which can\nlead to GPU hangs and NULL pointer dereference in an interrupt context\nas shown in the following trace:\n\n [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0\n [ 314.043822] Mem abort info:\n [ 314.046606] ESR = 0x0000000096000005\n [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits\n [ 314.055651] SET = 0, FnV = 0\n [ 314.058695] EA = 0, S1PTW = 0\n [ 314.061826] FSC = 0x05: level 1 translation fault\n [ 314.066694] Data abort info:\n [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000\n [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1\n [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)\n [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]\n [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]\n [ 314.160198] sp : ffffffc080003ea0\n [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000\n [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0\n [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000\n [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000\n [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000\n [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001\n [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874\n [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180\n [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb\n [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n [ 314.234807] Call trace:\n [ 314.237243] v3d_irq+0xec/0x2e0 [v3d]\n [ 314.240906] __handle_irq_event_percpu+0x58/0x218\n [ 314.245609] handle_irq_event+0x54/0xb8\n [ 314.249439] handle_fasteoi_irq+0xac/0x240\n [ 314.253527] handle_irq_desc+0x48/0x68\n [ 314.257269] generic_handle_domain_irq+0x24/0x38\n [ 314.261879] gic_handle_irq+0x48/0xd8\n [ 314.265533] call_on_irq_stack+0x24/0x58\n [ 314.269448] do_interrupt_handler+0x88/0x98\n [ 314.273624] el1_interrupt+0x34/0x68\n [ 314.277193] el1h_64_irq_handler+0x18/0x28\n [ 314.281281] el1h_64_irq+0x64/0x68\n [ 314.284673] default_idle_call+0x3c/0x168\n [ 314.288675] do_idle+0x1fc/0x230\n [ 314.291895] cpu_startup_entry+0x3c/0x50\n [ 314.295810] rest_init+0xe4/0xf0\n [ 314.299030] start_kernel+0x5e8/0x790\n [ 314.302684] __primary_switched+0x80/0x90\n [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)\n [ 314.312775] ---[ end trace 0000000000000000 ]---\n [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n [ 314.324249] SMP: stopping secondary CPUs\n [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000\n [ 314.334076] PHYS_OFFSET: 0x0\n [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b\n [ 314.342337] Memory Limit: none\n [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nBefore resetting the G\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:41.753Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9c403d1236cecb10dd0246a30d81e4b265f8e8d"
},
{
"url": "https://git.kernel.org/stable/c/2446e25e9246e0642a41d91cbf54c33b275da3c3"
},
{
"url": "https://git.kernel.org/stable/c/576a6739e08ac06c67f2916f71204557232388b0"
},
{
"url": "https://git.kernel.org/stable/c/c8851a6ab19d9f390677c42a3cc01ff9b2eb6241"
},
{
"url": "https://git.kernel.org/stable/c/387da3b6d1a90e3210bc9a7fb56703bdad2ac18a"
},
{
"url": "https://git.kernel.org/stable/c/9ff95ed0371aec4d9617e478e9c69cde86cd7c38"
},
{
"url": "https://git.kernel.org/stable/c/dc805c927cd832bb8f790b756880ae6c769d5fbc"
},
{
"url": "https://git.kernel.org/stable/c/226862f50a7a88e4e4de9abbf36c64d19acd6fd0"
}
],
"title": "drm/v3d: Disable interrupts before resetting the GPU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38371",
"datePublished": "2025-07-25T12:53:14.292Z",
"dateReserved": "2025-04-16T04:51:24.009Z",
"dateUpdated": "2026-05-11T21:26:41.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38375 (GCVE-0-2025-38375)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
virtio-net: ensure the received length does not exceed allocated size
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: ensure the received length does not exceed allocated size
In xdp_linearize_page, when reading the following buffers from the ring,
we forget to check the received length with the true allocate size. This
can lead to an out-of-bound read. This commit adds that missing check.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4941d472bf95b4345d6e38906fcf354e74afa311 , < 773e95c268b5d859f51f7547559734fd2a57660c
(git)
Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 982beb7582c193544eb9c6083937ec5ac1c9d651 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 6aca3dad2145e864dfe4d1060f45eb1bac75dd58 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 80b971be4c37a4d23a7f1abc5ff33dc7733d649b (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < bc68bc3563344ccdc57d1961457cdeecab8f81ef (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 11f2d0e8be2b5e784ac45fa3da226492c3e506d8 (git) Affected: 4941d472bf95b4345d6e38906fcf354e74afa311 , < 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 (git) |
|
| Linux | Linux |
Affected:
4.14
Unaffected: 0 , < 4.14 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.189 , ≤ 5.15.* (semver) Unaffected: 6.1.144 , ≤ 6.1.* (semver) Unaffected: 6.6.97 , ≤ 6.6.* (semver) Unaffected: 6.12.37 , ≤ 6.12.* (semver) Unaffected: 6.15.6 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:12.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "773e95c268b5d859f51f7547559734fd2a57660c",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "982beb7582c193544eb9c6083937ec5ac1c9d651",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "6aca3dad2145e864dfe4d1060f45eb1bac75dd58",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "80b971be4c37a4d23a7f1abc5ff33dc7733d649b",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "bc68bc3563344ccdc57d1961457cdeecab8f81ef",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "11f2d0e8be2b5e784ac45fa3da226492c3e506d8",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
},
{
"lessThan": "315dbdd7cdf6aa533829774caaf4d25f1fd20e73",
"status": "affected",
"version": "4941d472bf95b4345d6e38906fcf354e74afa311",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: ensure the received length does not exceed allocated size\n\nIn xdp_linearize_page, when reading the following buffers from the ring,\nwe forget to check the received length with the true allocate size. This\ncan lead to an out-of-bound read. This commit adds that missing check."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:46.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/773e95c268b5d859f51f7547559734fd2a57660c"
},
{
"url": "https://git.kernel.org/stable/c/ddc8649d363141fb3371dd81a73e1cb4ef8ed1e1"
},
{
"url": "https://git.kernel.org/stable/c/982beb7582c193544eb9c6083937ec5ac1c9d651"
},
{
"url": "https://git.kernel.org/stable/c/6aca3dad2145e864dfe4d1060f45eb1bac75dd58"
},
{
"url": "https://git.kernel.org/stable/c/80b971be4c37a4d23a7f1abc5ff33dc7733d649b"
},
{
"url": "https://git.kernel.org/stable/c/bc68bc3563344ccdc57d1961457cdeecab8f81ef"
},
{
"url": "https://git.kernel.org/stable/c/11f2d0e8be2b5e784ac45fa3da226492c3e506d8"
},
{
"url": "https://git.kernel.org/stable/c/315dbdd7cdf6aa533829774caaf4d25f1fd20e73"
}
],
"title": "virtio-net: ensure the received length does not exceed allocated size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38375",
"datePublished": "2025-07-25T12:53:17.629Z",
"dateReserved": "2025-04-16T04:51:24.009Z",
"dateUpdated": "2026-05-11T21:26:46.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38377 (GCVE-0-2025-38377)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
rose: fix dangling neighbour pointers in rose_rt_device_down()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rose: fix dangling neighbour pointers in rose_rt_device_down()
There are two bugs in rose_rt_device_down() that can cause
use-after-free:
1. The loop bound `t->count` is modified within the loop, which can
cause the loop to terminate early and miss some entries.
2. When removing an entry from the neighbour array, the subsequent entries
are moved up to fill the gap, but the loop index `i` is still
incremented, causing the next entry to be skipped.
For example, if a node has three neighbours (A, A, B) with count=3 and A
is being removed, the second A is not checked.
i=0: (A, A, B) -> (A, B) with count=2
^ checked
i=1: (A, B) -> (A, B) with count=2
^ checked (B, not A!)
i=2: (doesn't occur because i < count is false)
This leaves the second A in the array with count=2, but the rose_neigh
structure has been freed. Code that accesses these entries assumes that
the first `count` entries are valid pointers, causing a use-after-free
when it accesses the dangling pointer.
Fix both issues by iterating over the array in reverse order with a fixed
loop bound. This ensures that all entries are examined and that the removal
of an entry doesn't affect subsequent iterations.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 94e0918e39039c47ddceb609500817f7266be756
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fe62a35fb1f77f494ed534fc69a9043dc5a30ce1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2b952dbb32fef835756f07ff0cd77efbb836dfea (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b6b232e16e08c6dc120672b4753392df0d28c1b4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7a1841c9609377e989ec41c16551309ce79c39e4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 446ac00b86be1670838e513b643933d78837d8db (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2c6c82ee074bfcfd1bc978ec45bfea37703d840a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 34a500caf48c47d5171f4aa1f237da39b07c6157 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.144 , ≤ 6.1.* (semver) Unaffected: 6.6.97 , ≤ 6.6.* (semver) Unaffected: 6.12.37 , ≤ 6.12.* (semver) Unaffected: 6.15.6 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:14.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94e0918e39039c47ddceb609500817f7266be756",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe62a35fb1f77f494ed534fc69a9043dc5a30ce1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b952dbb32fef835756f07ff0cd77efbb836dfea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b6b232e16e08c6dc120672b4753392df0d28c1b4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a1841c9609377e989ec41c16551309ce79c39e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "446ac00b86be1670838e513b643933d78837d8db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2c6c82ee074bfcfd1bc978ec45bfea37703d840a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "34a500caf48c47d5171f4aa1f237da39b07c6157",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: fix dangling neighbour pointers in rose_rt_device_down()\n\nThere are two bugs in rose_rt_device_down() that can cause\nuse-after-free:\n\n1. The loop bound `t-\u003ecount` is modified within the loop, which can\n cause the loop to terminate early and miss some entries.\n\n2. When removing an entry from the neighbour array, the subsequent entries\n are moved up to fill the gap, but the loop index `i` is still\n incremented, causing the next entry to be skipped.\n\nFor example, if a node has three neighbours (A, A, B) with count=3 and A\nis being removed, the second A is not checked.\n\n i=0: (A, A, B) -\u003e (A, B) with count=2\n ^ checked\n i=1: (A, B) -\u003e (A, B) with count=2\n ^ checked (B, not A!)\n i=2: (doesn\u0027t occur because i \u003c count is false)\n\nThis leaves the second A in the array with count=2, but the rose_neigh\nstructure has been freed. Code that accesses these entries assumes that\nthe first `count` entries are valid pointers, causing a use-after-free\nwhen it accesses the dangling pointer.\n\nFix both issues by iterating over the array in reverse order with a fixed\nloop bound. This ensures that all entries are examined and that the removal\nof an entry doesn\u0027t affect subsequent iterations."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:48.764Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94e0918e39039c47ddceb609500817f7266be756"
},
{
"url": "https://git.kernel.org/stable/c/fe62a35fb1f77f494ed534fc69a9043dc5a30ce1"
},
{
"url": "https://git.kernel.org/stable/c/2b952dbb32fef835756f07ff0cd77efbb836dfea"
},
{
"url": "https://git.kernel.org/stable/c/b6b232e16e08c6dc120672b4753392df0d28c1b4"
},
{
"url": "https://git.kernel.org/stable/c/7a1841c9609377e989ec41c16551309ce79c39e4"
},
{
"url": "https://git.kernel.org/stable/c/446ac00b86be1670838e513b643933d78837d8db"
},
{
"url": "https://git.kernel.org/stable/c/2c6c82ee074bfcfd1bc978ec45bfea37703d840a"
},
{
"url": "https://git.kernel.org/stable/c/34a500caf48c47d5171f4aa1f237da39b07c6157"
}
],
"title": "rose: fix dangling neighbour pointers in rose_rt_device_down()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38377",
"datePublished": "2025-07-25T12:53:19.141Z",
"dateReserved": "2025-04-16T04:51:24.010Z",
"dateUpdated": "2026-05-11T21:26:48.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38384 (GCVE-0-2025-38384)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
mtd: spinand: fix memory leak of ECC engine conf
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: spinand: fix memory leak of ECC engine conf
Memory allocated for the ECC engine conf is not released during spinand
cleanup. Below kmemleak trace is seen for this memory leak:
unreferenced object 0xffffff80064f00e0 (size 8):
comm "swapper/0", pid 1, jiffies 4294937458
hex dump (first 8 bytes):
00 00 00 00 00 00 00 00 ........
backtrace (crc 0):
kmemleak_alloc+0x30/0x40
__kmalloc_cache_noprof+0x208/0x3c0
spinand_ondie_ecc_init_ctx+0x114/0x200
nand_ecc_init_ctx+0x70/0xa8
nanddev_ecc_engine_init+0xec/0x27c
spinand_probe+0xa2c/0x1620
spi_mem_probe+0x130/0x21c
spi_probe+0xf0/0x170
really_probe+0x17c/0x6e8
__driver_probe_device+0x17c/0x21c
driver_probe_device+0x58/0x180
__device_attach_driver+0x15c/0x1f8
bus_for_each_drv+0xec/0x150
__device_attach+0x188/0x24c
device_initial_probe+0x10/0x20
bus_probe_device+0x11c/0x160
Fix the leak by calling nanddev_ecc_engine_cleanup() inside
spinand_cleanup().
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3d1f08b032dc4e168f3aefed1e07a63c3c080325 , < 68d3417305ee100dcad90fd6e5846b22497aa394
(git)
Affected: 3d1f08b032dc4e168f3aefed1e07a63c3c080325 , < f99408670407abb6493780e38cb4ece3fbb52cfc (git) Affected: 3d1f08b032dc4e168f3aefed1e07a63c3c080325 , < d5c1e3f32902ab518519d05515ee6030fd6c59ae (git) Affected: 3d1f08b032dc4e168f3aefed1e07a63c3c080325 , < c40b207cafd006c610832ba52a81cedee77adcb9 (git) Affected: 3d1f08b032dc4e168f3aefed1e07a63c3c080325 , < 93147abf80a831dd3b5660b3309b4f09546073b2 (git) Affected: 3d1f08b032dc4e168f3aefed1e07a63c3c080325 , < 6463cbe08b0cbf9bba8763306764f5fd643023e1 (git) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.144 , ≤ 6.1.* (semver) Unaffected: 6.6.97 , ≤ 6.6.* (semver) Unaffected: 6.12.37 , ≤ 6.12.* (semver) Unaffected: 6.15.6 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:16.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/spi/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68d3417305ee100dcad90fd6e5846b22497aa394",
"status": "affected",
"version": "3d1f08b032dc4e168f3aefed1e07a63c3c080325",
"versionType": "git"
},
{
"lessThan": "f99408670407abb6493780e38cb4ece3fbb52cfc",
"status": "affected",
"version": "3d1f08b032dc4e168f3aefed1e07a63c3c080325",
"versionType": "git"
},
{
"lessThan": "d5c1e3f32902ab518519d05515ee6030fd6c59ae",
"status": "affected",
"version": "3d1f08b032dc4e168f3aefed1e07a63c3c080325",
"versionType": "git"
},
{
"lessThan": "c40b207cafd006c610832ba52a81cedee77adcb9",
"status": "affected",
"version": "3d1f08b032dc4e168f3aefed1e07a63c3c080325",
"versionType": "git"
},
{
"lessThan": "93147abf80a831dd3b5660b3309b4f09546073b2",
"status": "affected",
"version": "3d1f08b032dc4e168f3aefed1e07a63c3c080325",
"versionType": "git"
},
{
"lessThan": "6463cbe08b0cbf9bba8763306764f5fd643023e1",
"status": "affected",
"version": "3d1f08b032dc4e168f3aefed1e07a63c3c080325",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/spi/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spinand: fix memory leak of ECC engine conf\n\nMemory allocated for the ECC engine conf is not released during spinand\ncleanup. Below kmemleak trace is seen for this memory leak:\n\nunreferenced object 0xffffff80064f00e0 (size 8):\n comm \"swapper/0\", pid 1, jiffies 4294937458\n hex dump (first 8 bytes):\n 00 00 00 00 00 00 00 00 ........\n backtrace (crc 0):\n kmemleak_alloc+0x30/0x40\n __kmalloc_cache_noprof+0x208/0x3c0\n spinand_ondie_ecc_init_ctx+0x114/0x200\n nand_ecc_init_ctx+0x70/0xa8\n nanddev_ecc_engine_init+0xec/0x27c\n spinand_probe+0xa2c/0x1620\n spi_mem_probe+0x130/0x21c\n spi_probe+0xf0/0x170\n really_probe+0x17c/0x6e8\n __driver_probe_device+0x17c/0x21c\n driver_probe_device+0x58/0x180\n __device_attach_driver+0x15c/0x1f8\n bus_for_each_drv+0xec/0x150\n __device_attach+0x188/0x24c\n device_initial_probe+0x10/0x20\n bus_probe_device+0x11c/0x160\n\nFix the leak by calling nanddev_ecc_engine_cleanup() inside\nspinand_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:55.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68d3417305ee100dcad90fd6e5846b22497aa394"
},
{
"url": "https://git.kernel.org/stable/c/f99408670407abb6493780e38cb4ece3fbb52cfc"
},
{
"url": "https://git.kernel.org/stable/c/d5c1e3f32902ab518519d05515ee6030fd6c59ae"
},
{
"url": "https://git.kernel.org/stable/c/c40b207cafd006c610832ba52a81cedee77adcb9"
},
{
"url": "https://git.kernel.org/stable/c/93147abf80a831dd3b5660b3309b4f09546073b2"
},
{
"url": "https://git.kernel.org/stable/c/6463cbe08b0cbf9bba8763306764f5fd643023e1"
}
],
"title": "mtd: spinand: fix memory leak of ECC engine conf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38384",
"datePublished": "2025-07-25T12:53:25.396Z",
"dateReserved": "2025-04-16T04:51:24.010Z",
"dateUpdated": "2026-05-11T21:26:55.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38386 (GCVE-0-2025-38386)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-05-11 21:26
VLAI
EPSS
Title
ACPICA: Refuse to evaluate a method if arguments are missing
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: Refuse to evaluate a method if arguments are missing
As reported in [1], a platform firmware update that increased the number
of method parameters and forgot to update a least one of its callers,
caused ACPICA to crash due to use-after-free.
Since this a result of a clear AML issue that arguably cannot be fixed
up by the interpreter (it cannot produce missing data out of thin air),
address it by making ACPICA refuse to evaluate a method if the caller
attempts to pass fewer arguments than expected to it.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b49d224d1830c46e20adce2a239c454cdab426f1
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2219e49857ffd6aea1b1ca5214d3270f84623a16 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4305d936abde795c2ef6ba916de8f00a50f64d2d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d547779e72cea9865b732cd45393c4cd02b3598e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18ff4ed6a33a7e3f2097710eacc96bea7696e803 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9e4da550ae196132b990bd77ed3d8f2d9747f87 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6fcab2791543924d438e7fa49276d0998b0a069f (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.296 , ≤ 5.4.* (semver) Unaffected: 5.10.240 , ≤ 5.10.* (semver) Unaffected: 5.15.187 , ≤ 5.15.* (semver) Unaffected: 6.1.144 , ≤ 6.1.* (semver) Unaffected: 6.6.97 , ≤ 6.6.* (semver) Unaffected: 6.12.37 , ≤ 6.12.* (semver) Unaffected: 6.15.6 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:37:19.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dsmethod.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b49d224d1830c46e20adce2a239c454cdab426f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2219e49857ffd6aea1b1ca5214d3270f84623a16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4305d936abde795c2ef6ba916de8f00a50f64d2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d547779e72cea9865b732cd45393c4cd02b3598e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18ff4ed6a33a7e3f2097710eacc96bea7696e803",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9e4da550ae196132b990bd77ed3d8f2d9747f87",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6fcab2791543924d438e7fa49276d0998b0a069f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dsmethod.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.144",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.144",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.97",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Refuse to evaluate a method if arguments are missing\n\nAs reported in [1], a platform firmware update that increased the number\nof method parameters and forgot to update a least one of its callers,\ncaused ACPICA to crash due to use-after-free.\n\nSince this a result of a clear AML issue that arguably cannot be fixed\nup by the interpreter (it cannot produce missing data out of thin air),\naddress it by making ACPICA refuse to evaluate a method if the caller\nattempts to pass fewer arguments than expected to it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:26:58.155Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b49d224d1830c46e20adce2a239c454cdab426f1"
},
{
"url": "https://git.kernel.org/stable/c/2219e49857ffd6aea1b1ca5214d3270f84623a16"
},
{
"url": "https://git.kernel.org/stable/c/ab1e8491c19eb2ea0fda81ef28e841c7cb6399f5"
},
{
"url": "https://git.kernel.org/stable/c/4305d936abde795c2ef6ba916de8f00a50f64d2d"
},
{
"url": "https://git.kernel.org/stable/c/d547779e72cea9865b732cd45393c4cd02b3598e"
},
{
"url": "https://git.kernel.org/stable/c/18ff4ed6a33a7e3f2097710eacc96bea7696e803"
},
{
"url": "https://git.kernel.org/stable/c/c9e4da550ae196132b990bd77ed3d8f2d9747f87"
},
{
"url": "https://git.kernel.org/stable/c/6fcab2791543924d438e7fa49276d0998b0a069f"
}
],
"title": "ACPICA: Refuse to evaluate a method if arguments are missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38386",
"datePublished": "2025-07-25T12:53:27.229Z",
"dateReserved": "2025-04-16T04:51:24.010Z",
"dateUpdated": "2026-05-11T21:26:58.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…