Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1133
Vulnerability from certfr_avis - Published: 2025-12-19 - Updated: 2025-12-19
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Enterprise Desktop 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | N/A | Basesystem Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Workstation Extension 15 SP7 | ||
| SUSE | N/A | Legacy Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Desktop 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | N/A | Legacy Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | N/A | openSUSE Leap 15.6 | ||
| SUSE | N/A | Development Tools Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Workstation Extension 15 SP6 | ||
| SUSE | N/A | Basesystem Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | N/A | Development Tools Module 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise Desktop 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2025-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40156"
},
{
"name": "CVE-2025-40055",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40055"
},
{
"name": "CVE-2025-40048",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40048"
},
{
"name": "CVE-2025-40121",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40121"
},
{
"name": "CVE-2025-40204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40204"
},
{
"name": "CVE-2025-40171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40171"
},
{
"name": "CVE-2025-40139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40139"
},
{
"name": "CVE-2025-40107",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40107"
},
{
"name": "CVE-2025-40115",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40115"
},
{
"name": "CVE-2025-40198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40198"
},
{
"name": "CVE-2025-40173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40173"
},
{
"name": "CVE-2025-39944",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39944"
},
{
"name": "CVE-2025-40194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40194"
},
{
"name": "CVE-2025-40001",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40001"
},
{
"name": "CVE-2025-39859",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39859"
},
{
"name": "CVE-2025-40172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40172"
},
{
"name": "CVE-2025-40188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40188"
},
{
"name": "CVE-2025-40186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40186"
},
{
"name": "CVE-2025-40086",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40086"
},
{
"name": "CVE-2025-40169",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40169"
},
{
"name": "CVE-2025-40070",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40070"
},
{
"name": "CVE-2025-40047",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40047"
},
{
"name": "CVE-2025-40205",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40205"
},
{
"name": "CVE-2022-50253",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50253"
},
{
"name": "CVE-2025-40075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40075"
},
{
"name": "CVE-2025-40027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40027"
},
{
"name": "CVE-2025-40206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40206"
},
{
"name": "CVE-2025-39788",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39788"
},
{
"name": "CVE-2025-40109",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40109"
},
{
"name": "CVE-2025-40038",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40038"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-40176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40176"
},
{
"name": "CVE-2025-40183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40183"
},
{
"name": "CVE-2025-37916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37916"
},
{
"name": "CVE-2025-38359",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38359"
},
{
"name": "CVE-2025-40074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40074"
},
{
"name": "CVE-2025-40116",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40116"
},
{
"name": "CVE-2025-40127",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40127"
},
{
"name": "CVE-2025-40168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40168"
},
{
"name": "CVE-2025-40120",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40120"
},
{
"name": "CVE-2025-40185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40185"
},
{
"name": "CVE-2025-40098",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40098"
},
{
"name": "CVE-2025-40129",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40129"
},
{
"name": "CVE-2025-40040",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40040"
},
{
"name": "CVE-2025-40207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40207"
},
{
"name": "CVE-2025-40118",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40118"
},
{
"name": "CVE-2025-40157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40157"
},
{
"name": "CVE-2025-40021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40021"
},
{
"name": "CVE-2025-40105",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40105"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2025-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40149"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2025-40180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40180"
},
{
"name": "CVE-2025-40200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40200"
},
{
"name": "CVE-2025-40080",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40080"
},
{
"name": "CVE-2025-40111",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40111"
},
{
"name": "CVE-2025-40059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40059"
},
{
"name": "CVE-2023-53676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53676"
},
{
"name": "CVE-2025-39822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39822"
},
{
"name": "CVE-2025-40141",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40141"
},
{
"name": "CVE-2025-40110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40110"
},
{
"name": "CVE-2025-39980",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39980"
},
{
"name": "CVE-2025-40030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40030"
},
{
"name": "CVE-2025-39819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39819"
},
{
"name": "CVE-2025-40140",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40140"
},
{
"name": "CVE-2025-21710",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21710"
},
{
"name": "CVE-2025-40159",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40159"
},
{
"name": "CVE-2025-38361",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38361"
}
],
"initial_release_date": "2025-12-19T00:00:00",
"last_revision_date": "2025-12-19T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1133",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2025-12-15",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4393-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254393-1"
},
{
"published_at": "2025-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2025:4422-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254422-1"
}
]
}
CVE-2025-40048 (GCVE-0-2025-40048)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
EPSS
Title
uio_hv_generic: Let userspace take care of interrupt mask
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio_hv_generic: Let userspace take care of interrupt mask
Remove the logic to set interrupt mask by default in uio_hv_generic
driver as the interrupt mask value is supposed to be controlled
completely by the user space. If the mask bit gets changed
by the driver, concurrently with user mode operating on the ring,
the mask bit may be set when it is supposed to be clear, and the
user-mode driver will miss an interrupt which will cause a hang.
For eg- when the driver sets inbound ring buffer interrupt mask to 1,
the host does not interrupt the guest on the UIO VMBus channel.
However, setting the mask does not prevent the host from putting a
message in the inbound ring buffer. So let’s assume that happens,
the host puts a message into the ring buffer but does not interrupt.
Subsequently, the user space code in the guest sets the inbound ring
buffer interrupt mask to 0, saying “Hey, I’m ready for interrupts”.
User space code then calls pread() to wait for an interrupt.
Then one of two things happens:
* The host never sends another message. So the pread() waits forever.
* The host does send another message. But because there’s already a
message in the ring buffer, it doesn’t generate an interrupt.
This is the correct behavior, because the host should only send an
interrupt when the inbound ring buffer transitions from empty to
not-empty. Adding an additional message to a ring buffer that is not
empty is not supposed to generate an interrupt on the guest.
Since the guest is waiting in pread() and not removing messages from
the ring buffer, the pread() waits forever.
This could be easily reproduced in hv_fcopy_uio_daemon if we delay
setting interrupt mask to 0.
Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,
there’s a race condition. Once user space empties the inbound ring
buffer, but before user space sets interrupt_mask to 0, the host could
put another message in the ring buffer but it wouldn’t interrupt.
Then the next pread() would hang.
Fix these by removing all instances where interrupt_mask is changed,
while keeping the one in set_event() unchanged to enable userspace
control the interrupt mask by writing 0/1 to /dev/uioX.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
95096f2fbd10186d3e78a328b327afc71428f65f , < 540aac117eaea5723cef5e4cbf3035c4ac654d92
(git)
Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 65d40acd911c7011745cbbd2aaac34eb5266d11e (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < a44f61f878f32071d6378e8dd7c2d47f9490c8f7 (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 01ce972e6f9974a7c76943bcb7e93746917db83a (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 2af39ab5e6dc46b835a52e80a22d0cad430985e3 (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < 37bd91f22794dc05436130d6983302cb90ecfe7e (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < e29587c07537929684faa365027f4b0d87521e1b (git) Affected: 95096f2fbd10186d3e78a328b327afc71428f65f , < b15b7d2a1b09ef5428a8db260251897405a19496 (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.112 , ≤ 6.6.* (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "540aac117eaea5723cef5e4cbf3035c4ac654d92",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "65d40acd911c7011745cbbd2aaac34eb5266d11e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "a44f61f878f32071d6378e8dd7c2d47f9490c8f7",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "01ce972e6f9974a7c76943bcb7e93746917db83a",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "2af39ab5e6dc46b835a52e80a22d0cad430985e3",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "37bd91f22794dc05436130d6983302cb90ecfe7e",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "e29587c07537929684faa365027f4b0d87521e1b",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
},
{
"lessThan": "b15b7d2a1b09ef5428a8db260251897405a19496",
"status": "affected",
"version": "95096f2fbd10186d3e78a328b327afc71428f65f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_hv_generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio_hv_generic: Let userspace take care of interrupt mask\n\nRemove the logic to set interrupt mask by default in uio_hv_generic\ndriver as the interrupt mask value is supposed to be controlled\ncompletely by the user space. If the mask bit gets changed\nby the driver, concurrently with user mode operating on the ring,\nthe mask bit may be set when it is supposed to be clear, and the\nuser-mode driver will miss an interrupt which will cause a hang.\n\nFor eg- when the driver sets inbound ring buffer interrupt mask to 1,\nthe host does not interrupt the guest on the UIO VMBus channel.\nHowever, setting the mask does not prevent the host from putting a\nmessage in the inbound ring buffer.\u00a0So let\u2019s assume that happens,\nthe host puts a message into the ring buffer but does not interrupt.\n\nSubsequently, the user space code in the guest sets the inbound ring\nbuffer interrupt mask to 0, saying \u201cHey, I\u2019m ready for interrupts\u201d.\nUser space code then calls pread() to wait for an interrupt.\nThen one of two things happens:\n\n* The host never sends another message. So the pread() waits forever.\n* The host does send another message. But because there\u2019s already a\n message in the ring buffer, it doesn\u2019t generate an interrupt.\n This is the correct behavior, because the host should only send an\n interrupt when the inbound ring buffer transitions from empty to\n not-empty. Adding an additional message to a ring buffer that is not\n empty is not supposed to generate an interrupt on the guest.\n Since the guest is waiting in pread() and not removing messages from\n the ring buffer, the pread() waits forever.\n\nThis could be easily reproduced in hv_fcopy_uio_daemon if we delay\nsetting interrupt mask to 0.\n\nSimilarly if hv_uio_channel_cb() sets the interrupt_mask to 1,\nthere\u2019s a race condition. Once user space empties the inbound ring\nbuffer, but before user space sets interrupt_mask to 0, the host could\nput another message in the ring buffer but it wouldn\u2019t interrupt.\nThen the next pread() would hang.\n\nFix these by removing all instances where interrupt_mask is changed,\nwhile keeping the one in set_event() unchanged to enable userspace\ncontrol the interrupt mask by writing 0/1 to /dev/uioX."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:41:28.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/540aac117eaea5723cef5e4cbf3035c4ac654d92"
},
{
"url": "https://git.kernel.org/stable/c/65d40acd911c7011745cbbd2aaac34eb5266d11e"
},
{
"url": "https://git.kernel.org/stable/c/a44f61f878f32071d6378e8dd7c2d47f9490c8f7"
},
{
"url": "https://git.kernel.org/stable/c/01ce972e6f9974a7c76943bcb7e93746917db83a"
},
{
"url": "https://git.kernel.org/stable/c/2af39ab5e6dc46b835a52e80a22d0cad430985e3"
},
{
"url": "https://git.kernel.org/stable/c/37bd91f22794dc05436130d6983302cb90ecfe7e"
},
{
"url": "https://git.kernel.org/stable/c/e29587c07537929684faa365027f4b0d87521e1b"
},
{
"url": "https://git.kernel.org/stable/c/b15b7d2a1b09ef5428a8db260251897405a19496"
}
],
"title": "uio_hv_generic: Let userspace take care of interrupt mask",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40048",
"datePublished": "2025-10-28T11:48:25.220Z",
"dateReserved": "2025-04-16T07:20:57.156Z",
"dateUpdated": "2026-05-11T21:41:28.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40055 (GCVE-0-2025-40055)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
EPSS
Title
ocfs2: fix double free in user_cluster_connect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix double free in user_cluster_connect()
user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then
the error handling frees "lc" a second time. Set "lc" to NULL on this
path to avoid a double free.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 283333079d96c84baa91f0c62b5e0cbec246b7a2
(git)
Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < f992bc72f681c32a682d474a29c2135a64d4f4e5 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 827c8efa0d1afe817b90f3618afff552e88348d2 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < bfe011297ddd2d0cd64752978baaa0c04cd20573 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2 (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 694d5b401036a614f8080085a9de6f86ff0742dc (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 892f41e12c8689130d552a9eb2b77bafd26484ab (git) Affected: c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 , < 8f45f089337d924db24397f55697cda0e6960516 (git) |
|
| Linux | Linux |
Affected:
3.14
Unaffected: 0 , < 3.14 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.112 , ≤ 6.6.* (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "283333079d96c84baa91f0c62b5e0cbec246b7a2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "f992bc72f681c32a682d474a29c2135a64d4f4e5",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "827c8efa0d1afe817b90f3618afff552e88348d2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "bfe011297ddd2d0cd64752978baaa0c04cd20573",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "694d5b401036a614f8080085a9de6f86ff0742dc",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "892f41e12c8689130d552a9eb2b77bafd26484ab",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
},
{
"lessThan": "8f45f089337d924db24397f55697cda0e6960516",
"status": "affected",
"version": "c994c2ebdbbc391a42f177c8eb7882ebf3f142d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/stack_user.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix double free in user_cluster_connect()\n\nuser_cluster_disconnect() frees \"conn-\u003ecc_private\" which is \"lc\" but then\nthe error handling frees \"lc\" a second time. Set \"lc\" to NULL on this\npath to avoid a double free."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:41:36.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/283333079d96c84baa91f0c62b5e0cbec246b7a2"
},
{
"url": "https://git.kernel.org/stable/c/f992bc72f681c32a682d474a29c2135a64d4f4e5"
},
{
"url": "https://git.kernel.org/stable/c/827c8efa0d1afe817b90f3618afff552e88348d2"
},
{
"url": "https://git.kernel.org/stable/c/bfe011297ddd2d0cd64752978baaa0c04cd20573"
},
{
"url": "https://git.kernel.org/stable/c/7e76fe9dfadbc00364d7523d5a109e9d3e4a7db2"
},
{
"url": "https://git.kernel.org/stable/c/694d5b401036a614f8080085a9de6f86ff0742dc"
},
{
"url": "https://git.kernel.org/stable/c/892f41e12c8689130d552a9eb2b77bafd26484ab"
},
{
"url": "https://git.kernel.org/stable/c/8f45f089337d924db24397f55697cda0e6960516"
}
],
"title": "ocfs2: fix double free in user_cluster_connect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40055",
"datePublished": "2025-10-28T11:48:29.665Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2026-05-11T21:41:36.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40059 (GCVE-0-2025-40059)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
EPSS
Title
coresight: Fix incorrect handling for return value of devm_kzalloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: Fix incorrect handling for return value of devm_kzalloc
The return value of devm_kzalloc could be an null pointer,
use "!desc.pdata" to fix incorrect handling return value
of devm_kzalloc.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4277f035d227e829133df284be7e35b7236a5b0f , < 8c4e7e646d5d9050b374baf5c6bb3a00fb79e206
(git)
Affected: 4277f035d227e829133df284be7e35b7236a5b0f , < 9688b66d0a5e0eecf44f6286b8d9f7a161264035 (git) Affected: 4277f035d227e829133df284be7e35b7236a5b0f , < 70714eb7243eaf333d23501d4c7bdd9daf011c01 (git) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8c4e7e646d5d9050b374baf5c6bb3a00fb79e206",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
},
{
"lessThan": "9688b66d0a5e0eecf44f6286b8d9f7a161264035",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
},
{
"lessThan": "70714eb7243eaf333d23501d4c7bdd9daf011c01",
"status": "affected",
"version": "4277f035d227e829133df284be7e35b7236a5b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-trbe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: Fix incorrect handling for return value of devm_kzalloc\n\nThe return value of devm_kzalloc could be an null pointer,\nuse \"!desc.pdata\" to fix incorrect handling return value\nof devm_kzalloc."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:41:41.170Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c4e7e646d5d9050b374baf5c6bb3a00fb79e206"
},
{
"url": "https://git.kernel.org/stable/c/9688b66d0a5e0eecf44f6286b8d9f7a161264035"
},
{
"url": "https://git.kernel.org/stable/c/70714eb7243eaf333d23501d4c7bdd9daf011c01"
}
],
"title": "coresight: Fix incorrect handling for return value of devm_kzalloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40059",
"datePublished": "2025-10-28T11:48:32.186Z",
"dateReserved": "2025-04-16T07:20:57.158Z",
"dateUpdated": "2026-05-11T21:41:41.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40064 (GCVE-0-2025-40064)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
EPSS
Title
smc: Fix use-after-free in __pnet_find_base_ndev().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in __pnet_find_base_ndev().
syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
which was called during connect(). [0]
smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened
at __pnet_find_base_ndev() when the dev is first used.
This means dev had already been freed before acquiring RTNL in
pnet_find_base_ndev().
While dev is going away, dst->dev could be swapped with blackhole_netdev,
and the dev's refcnt by dst will be released.
We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
Also, smc_pnet_find_roce_resource() has the same problem.
Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
[0]:
BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609
CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
smc_find_ism_device net/smc/af_smc.c:1030 [inline]
smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
__smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
__sys_connect_file net/socket.c:2086 [inline]
__sys_connect+0x313/0x440 net/socket.c:2105
__do_sys_connect net/socket.c:2111 [inline]
__se_sys_connect net/socket.c:2108 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2108
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47cbf8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kvmalloc_node
---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0afff91c6f5ecef27715ea71e34dc2baacba1060 , < 233927b645cb7a14bb98d23ac72e4c7243a9f0d9
(git)
Affected: 0afff91c6f5ecef27715ea71e34dc2baacba1060 , < 3d3466878afd8d43ec0ca2facfbc7f03e40d0f79 (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "233927b645cb7a14bb98d23ac72e4c7243a9f0d9",
"status": "affected",
"version": "0afff91c6f5ecef27715ea71e34dc2baacba1060",
"versionType": "git"
},
{
"lessThan": "3d3466878afd8d43ec0ca2facfbc7f03e40d0f79",
"status": "affected",
"version": "0afff91c6f5ecef27715ea71e34dc2baacba1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in __pnet_find_base_ndev().\n\nsyzbot reported use-after-free of net_device in __pnet_find_base_ndev(),\nwhich was called during connect(). [0]\n\nsmc_pnet_find_ism_resource() fetches sk_dst_get(sk)-\u003edev and passes\ndown to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened\nat __pnet_find_base_ndev() when the dev is first used.\n\nThis means dev had already been freed before acquiring RTNL in\npnet_find_base_ndev().\n\nWhile dev is going away, dst-\u003edev could be swapped with blackhole_netdev,\nand the dev\u0027s refcnt by dst will be released.\n\nWe must hold dev\u0027s refcnt before calling smc_pnet_find_ism_resource().\n\nAlso, smc_pnet_find_roce_resource() has the same problem.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu() in the two functions.\n\n[0]:\nBUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\nRead of size 1 at addr ffff888036bac33a by task syz.0.3632/18609\n\nCPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\n pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]\n smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]\n smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154\n smc_find_ism_device net/smc/af_smc.c:1030 [inline]\n smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]\n __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545\n smc_connect+0x877/0xd90 net/smc/af_smc.c:1715\n __sys_connect_file net/socket.c:2086 [inline]\n __sys_connect+0x313/0x440 net/socket.c:2105\n __do_sys_connect net/socket.c:2111 [inline]\n __se_sys_connect net/socket.c:2108 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2108\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f47cbf8eba9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9\nRDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b\nRBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000\nraw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851\n prep_new_page mm/page_alloc.c:1859 [inline]\n get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858\n __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148\n alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416\n ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kvmalloc_node\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:41:47.014Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/233927b645cb7a14bb98d23ac72e4c7243a9f0d9"
},
{
"url": "https://git.kernel.org/stable/c/3d3466878afd8d43ec0ca2facfbc7f03e40d0f79"
}
],
"title": "smc: Fix use-after-free in __pnet_find_base_ndev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40064",
"datePublished": "2025-10-28T11:48:35.155Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2026-05-11T21:41:47.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40070 (GCVE-0-2025-40070)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-23 16:01
VLAI
EPSS
Title
pps: fix warning in pps_register_cdev when register device fail
Summary
In the Linux kernel, the following vulnerability has been resolved:
pps: fix warning in pps_register_cdev when register device fail
Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error
handling in __video_register_device()"), the release hook should be set
before device_register(). Otherwise, when device_register() return error
and put_device() try to callback the release function, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567
Modules linked in:
CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE
RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567
Call Trace:
<TASK>
kobject_cleanup+0x136/0x410 lib/kobject.c:689
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe9/0x130 lib/kobject.c:737
put_device+0x24/0x30 drivers/base/core.c:3797
pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402
pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108
pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57
tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432
tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563
tiocsetd drivers/tty/tty_io.c:2429 [inline]
tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),
pps_register_cdev() call device_create() to create pps->dev, which will
init dev->release to device_create_release(). Now the comment is outdated,
just remove it.
Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removed
in pps_register_source() to avoid a double free in the failure case.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
785c78ed0d39d1717cca3ef931d3e51337b5e90e , < 38c7bb10aae5118dd48fa7a82f7bf93839bcc320
(git)
Affected: 1a7735ab2cb9747518a7416fb5929e85442dec62 , < 2a194707ca27a3b0523023fa8b446e5ec922dc51 (git) Affected: c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 , < 125527db41805693208ee1aacd7f3ffe6a3a489c (git) Affected: 91932db1d96b2952299ce30c1c693d834d10ace6 , < 4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8 (git) Affected: cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 , < cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e (git) Affected: 7e5ee3281dc09014367f5112b6d566ba36ea2d49 , < f01fa3588e0b3cb1540f56d2c6bd99e5b3810234 (git) Affected: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe , < 0f97564a1fb62f34b3b498e2f12caffbe99c004a (git) Affected: c79a39dc8d060b9e64e8b0fa9d245d44befeefbe , < b0531cdba5029f897da5156815e3bdafe1e9b88d (git) Affected: 85241f7de216f8298f6e48540ea13d7dcd100870 (git) Affected: 5.4.291 , < 5.4.301 (semver) Affected: 5.10.235 , < 5.10.246 (semver) Affected: 5.15.179 , < 5.15.195 (semver) Affected: 6.1.129 , < 6.1.156 (semver) Affected: 6.6.76 , < 6.6.112 (semver) Affected: 6.12.13 , < 6.12.53 (semver) Affected: 6.13.2 , < 6.14 (semver) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.112 , ≤ 6.6.* (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38c7bb10aae5118dd48fa7a82f7bf93839bcc320",
"status": "affected",
"version": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
"versionType": "git"
},
{
"lessThan": "2a194707ca27a3b0523023fa8b446e5ec922dc51",
"status": "affected",
"version": "1a7735ab2cb9747518a7416fb5929e85442dec62",
"versionType": "git"
},
{
"lessThan": "125527db41805693208ee1aacd7f3ffe6a3a489c",
"status": "affected",
"version": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
"versionType": "git"
},
{
"lessThan": "4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8",
"status": "affected",
"version": "91932db1d96b2952299ce30c1c693d834d10ace6",
"versionType": "git"
},
{
"lessThan": "cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e",
"status": "affected",
"version": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
"versionType": "git"
},
{
"lessThan": "f01fa3588e0b3cb1540f56d2c6bd99e5b3810234",
"status": "affected",
"version": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
"versionType": "git"
},
{
"lessThan": "0f97564a1fb62f34b3b498e2f12caffbe99c004a",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"lessThan": "b0531cdba5029f897da5156815e3bdafe1e9b88d",
"status": "affected",
"version": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
"versionType": "git"
},
{
"status": "affected",
"version": "85241f7de216f8298f6e48540ea13d7dcd100870",
"versionType": "git"
},
{
"lessThan": "5.4.301",
"status": "affected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThan": "5.10.246",
"status": "affected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThan": "5.15.195",
"status": "affected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThan": "6.1.156",
"status": "affected",
"version": "6.1.129",
"versionType": "semver"
},
{
"lessThan": "6.6.112",
"status": "affected",
"version": "6.6.76",
"versionType": "semver"
},
{
"lessThan": "6.12.53",
"status": "affected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pps/kapi.c",
"drivers/pps/pps.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "6.1.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.6.76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: fix warning in pps_register_cdev when register device fail\n\nSimilar to previous commit 2a934fdb01db (\"media: v4l2-dev: fix error\nhandling in __video_register_device()\"), the release hook should be set\nbefore device_register(). Otherwise, when device_register() return error\nand put_device() try to callback the release function, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567\n Modules linked in:\n CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE\n RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567\n Call Trace:\n \u003cTASK\u003e\n kobject_cleanup+0x136/0x410 lib/kobject.c:689\n kobject_release lib/kobject.c:720 [inline]\n kref_put include/linux/kref.h:65 [inline]\n kobject_put+0xe9/0x130 lib/kobject.c:737\n put_device+0x24/0x30 drivers/base/core.c:3797\n pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402\n pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108\n pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57\n tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432\n tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563\n tiocsetd drivers/tty/tty_io.c:2429 [inline]\n tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:598 [inline]\n __se_sys_ioctl fs/ioctl.c:584 [inline]\n __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n \u003c/TASK\u003e\n\nBefore commit c79a39dc8d06 (\"pps: Fix a use-after-free\"),\npps_register_cdev() call device_create() to create pps-\u003edev, which will\ninit dev-\u003erelease to device_create_release(). Now the comment is outdated,\njust remove it.\n\nThanks for the reminder from Calvin Owens, \u0027kfree_pps\u0027 should be removed\nin pps_register_source() to avoid a double free in the failure case."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:01:20.071Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38c7bb10aae5118dd48fa7a82f7bf93839bcc320"
},
{
"url": "https://git.kernel.org/stable/c/2a194707ca27a3b0523023fa8b446e5ec922dc51"
},
{
"url": "https://git.kernel.org/stable/c/125527db41805693208ee1aacd7f3ffe6a3a489c"
},
{
"url": "https://git.kernel.org/stable/c/4cbd7450a22c5ee4842fc4175ad06c0c82ea53a8"
},
{
"url": "https://git.kernel.org/stable/c/cf71834a0cfc394c72d62fd6dbb470ee13cf8f5e"
},
{
"url": "https://git.kernel.org/stable/c/f01fa3588e0b3cb1540f56d2c6bd99e5b3810234"
},
{
"url": "https://git.kernel.org/stable/c/0f97564a1fb62f34b3b498e2f12caffbe99c004a"
},
{
"url": "https://git.kernel.org/stable/c/b0531cdba5029f897da5156815e3bdafe1e9b88d"
}
],
"title": "pps: fix warning in pps_register_cdev when register device fail",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40070",
"datePublished": "2025-10-28T11:48:38.838Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2026-05-23T16:01:20.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40074 (GCVE-0-2025-40074)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
EPSS
Title
ipv4: start using dst_dev_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: start using dst_dev_rcu()
Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.
Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),
ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 923e0734c386984d45de508528a7a7ad91d791cc
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8 (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv4/ip_fragment.c",
"net/ipv4/ipmr.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "923e0734c386984d45de508528a7a7ad91d791cc",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv4/ip_fragment.c",
"net/ipv4/ipmr.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: start using dst_dev_rcu()\n\nChange icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.\n\nChange ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),\nipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:41:58.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/923e0734c386984d45de508528a7a7ad91d791cc"
},
{
"url": "https://git.kernel.org/stable/c/6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8"
}
],
"title": "ipv4: start using dst_dev_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40074",
"datePublished": "2025-10-28T11:48:41.202Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2026-05-11T21:41:58.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40075 (GCVE-0-2025-40075)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
EPSS
Title
tcp_metrics: use dst_dev_net_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_metrics: use dst_dev_net_rcu()
Replace three dst_dev() with a lockdep enabled helper.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 4b89397807eb04986427c4786d065e9442834ad4
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 07613a95326ebad2d1b88d883cd72546025a4f3e (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 50c127a69cd6285300931853b352a1918cfa180f (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 6.12.63 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b89397807eb04986427c4786d065e9442834ad4",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "07613a95326ebad2d1b88d883cd72546025a4f3e",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "50c127a69cd6285300931853b352a1918cfa180f",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: use dst_dev_net_rcu()\n\nReplace three dst_dev() with a lockdep enabled helper."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:41:59.909Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b89397807eb04986427c4786d065e9442834ad4"
},
{
"url": "https://git.kernel.org/stable/c/07613a95326ebad2d1b88d883cd72546025a4f3e"
},
{
"url": "https://git.kernel.org/stable/c/50c127a69cd6285300931853b352a1918cfa180f"
}
],
"title": "tcp_metrics: use dst_dev_net_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40075",
"datePublished": "2025-10-28T11:48:41.791Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2026-05-11T21:41:59.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40080 (GCVE-0-2025-40080)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-23 16:01
VLAI
EPSS
Title
nbd: restrict sockets to TCP and UDP
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: restrict sockets to TCP and UDP
Recently, syzbot started to abuse NBD with all kinds of sockets.
Commit cf1b2326b734 ("nbd: verify socket is supported during setup")
made sure the socket supported a shutdown() method.
Explicitely accept TCP and UNIX stream sockets.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cf1b2326b734896734c6e167e41766f9cee7686a , < c365e8f20f4201d873a70385bd919f0fb531e960
(git)
Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7 (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 37ad11f20e164c23ce827dd455b42c0fdd29685c (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 808e2335bc1cf2293b9e36ccc94c267c81509c71 (git) Affected: cf1b2326b734896734c6e167e41766f9cee7686a , < 9f7c02e031570e8291a63162c6c046dc15ff85b0 (git) Affected: 4df728651b8a99693c69962d8e5a5b9e5a3bbcc7 (git) Affected: 083322455c67d278c56a66b73f1221f004ee600a (git) Affected: 4fa1cbd587ef967812f9d9f6ce46ec1dead7502c (git) Affected: 4.14.152 , < 4.15 (semver) Affected: 4.19.82 , < 4.20 (semver) Affected: 5.3.9 , < 5.4 (semver) |
|
| Linux | Linux |
Affected:
5.4
Unaffected: 0 , < 5.4 (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.112 , ≤ 6.6.* (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c365e8f20f4201d873a70385bd919f0fb531e960",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "37ad11f20e164c23ce827dd455b42c0fdd29685c",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "808e2335bc1cf2293b9e36ccc94c267c81509c71",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"lessThan": "9f7c02e031570e8291a63162c6c046dc15ff85b0",
"status": "affected",
"version": "cf1b2326b734896734c6e167e41766f9cee7686a",
"versionType": "git"
},
{
"status": "affected",
"version": "4df728651b8a99693c69962d8e5a5b9e5a3bbcc7",
"versionType": "git"
},
{
"status": "affected",
"version": "083322455c67d278c56a66b73f1221f004ee600a",
"versionType": "git"
},
{
"status": "affected",
"version": "4fa1cbd587ef967812f9d9f6ce46ec1dead7502c",
"versionType": "git"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.152",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.82",
"versionType": "semver"
},
{
"lessThan": "5.4",
"status": "affected",
"version": "5.3.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/nbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: restrict sockets to TCP and UDP\n\nRecently, syzbot started to abuse NBD with all kinds of sockets.\n\nCommit cf1b2326b734 (\"nbd: verify socket is supported during setup\")\nmade sure the socket supported a shutdown() method.\n\nExplicitely accept TCP and UNIX stream sockets."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:01:22.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c365e8f20f4201d873a70385bd919f0fb531e960"
},
{
"url": "https://git.kernel.org/stable/c/4f9e6ff6319dbcebea64b50af0304cf0ad7e97e7"
},
{
"url": "https://git.kernel.org/stable/c/37ad11f20e164c23ce827dd455b42c0fdd29685c"
},
{
"url": "https://git.kernel.org/stable/c/808e2335bc1cf2293b9e36ccc94c267c81509c71"
},
{
"url": "https://git.kernel.org/stable/c/9f7c02e031570e8291a63162c6c046dc15ff85b0"
}
],
"title": "nbd: restrict sockets to TCP and UDP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40080",
"datePublished": "2025-10-28T11:48:44.796Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2026-05-23T16:01:22.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40083 (GCVE-0-2025-40083)
Vulnerability from cvelistv5 – Published: 2025-10-29 13:37 – Updated: 2026-05-11 21:42
VLAI
EPSS
Title
net/sched: sch_qfq: Fix null-deref in agg_dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix null-deref in agg_dequeue
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
462dbc9101acd38e92eda93c0726857517a24bbd , < 71d84658a61322e5630c85c5388fc25e4a2d08b2
(git)
Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 99fc137f178797204d36ac860dd8b31e35baa2df (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 1bed56f089f09b465420bf23bb32985c305cfc28 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 3c2a8994807623c7655ece205667ae2cf74940aa (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ffa9d66187188e3068b5a3895e6ae1ee34f9199 (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < 6ff8e74c8f8a68ec07ef837b95425dfe900d060f (git) Affected: 462dbc9101acd38e92eda93c0726857517a24bbd , < dd831ac8221e691e9e918585b1003c7071df0379 (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.116 , ≤ 6.6.* (semver) Unaffected: 6.12.57 , ≤ 6.12.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71d84658a61322e5630c85c5388fc25e4a2d08b2",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "99fc137f178797204d36ac860dd8b31e35baa2df",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "1bed56f089f09b465420bf23bb32985c305cfc28",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "3c2a8994807623c7655ece205667ae2cf74940aa",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ffa9d66187188e3068b5a3895e6ae1ee34f9199",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "6ff8e74c8f8a68ec07ef837b95425dfe900d060f",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
},
{
"lessThan": "dd831ac8221e691e9e918585b1003c7071df0379",
"status": "affected",
"version": "462dbc9101acd38e92eda93c0726857517a24bbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/pkt_sched.h",
"net/sched/sch_api.c",
"net/sched/sch_hfsc.c",
"net/sched/sch_qfq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.116",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.57",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.116",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.57",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix null-deref in agg_dequeue\n\nTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)\nwhen cl-\u003eqdisc-\u003eops-\u003epeek(cl-\u003eqdisc) returns NULL, we check the return\nvalue before using it, similar to the existing approach in sch_hfsc.c.\n\nTo avoid code duplication, the following changes are made:\n\n1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static\ninline function.\n\n2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to\ninclude/net/pkt_sched.h so that sch_qfq can reuse it.\n\n3. Applied qdisc_peek_len in agg_dequeue to avoid crashing."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:42:10.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71d84658a61322e5630c85c5388fc25e4a2d08b2"
},
{
"url": "https://git.kernel.org/stable/c/99fc137f178797204d36ac860dd8b31e35baa2df"
},
{
"url": "https://git.kernel.org/stable/c/1bed56f089f09b465420bf23bb32985c305cfc28"
},
{
"url": "https://git.kernel.org/stable/c/3c2a8994807623c7655ece205667ae2cf74940aa"
},
{
"url": "https://git.kernel.org/stable/c/6ffa9d66187188e3068b5a3895e6ae1ee34f9199"
},
{
"url": "https://git.kernel.org/stable/c/6ff8e74c8f8a68ec07ef837b95425dfe900d060f"
},
{
"url": "https://git.kernel.org/stable/c/dd831ac8221e691e9e918585b1003c7071df0379"
}
],
"title": "net/sched: sch_qfq: Fix null-deref in agg_dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40083",
"datePublished": "2025-10-29T13:37:01.868Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2026-05-11T21:42:10.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40086 (GCVE-0-2025-40086)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:47 – Updated: 2026-05-11 21:42
VLAI
EPSS
Title
drm/xe: Don't allow evicting of BOs in same VM in array of VM binds
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Don't allow evicting of BOs in same VM in array of VM binds
An array of VM binds can potentially evict other buffer objects (BOs)
within the same VM under certain conditions, which may lead to NULL
pointer dereferences later in the bind pipeline. To prevent this, clear
the allow_res_evict flag in the xe_bo_validate call.
v2:
- Invert polarity of no_res_evict (Thomas)
- Add comment in code explaining issue (Thomas)
(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dd08ebf6c3525a7ea2186e636df064ea47281987 , < 5aa0ab0ba7d94549cfe17d6ef7a4f33ba1de8384
(git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 7ac74613e5f2ef3450f44fd2127198662c2563a9 (git) |
|
| Linux | Linux |
Affected:
6.8
Unaffected: 0 , < 6.8 (semver) Unaffected: 6.17.5 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c",
"drivers/gpu/drm/xe/xe_vm_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5aa0ab0ba7d94549cfe17d6ef7a4f33ba1de8384",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "7ac74613e5f2ef3450f44fd2127198662c2563a9",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c",
"drivers/gpu/drm/xe/xe_vm_types.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Don\u0027t allow evicting of BOs in same VM in array of VM binds\n\nAn array of VM binds can potentially evict other buffer objects (BOs)\nwithin the same VM under certain conditions, which may lead to NULL\npointer dereferences later in the bind pipeline. To prevent this, clear\nthe allow_res_evict flag in the xe_bo_validate call.\n\nv2:\n - Invert polarity of no_res_evict (Thomas)\n - Add comment in code explaining issue (Thomas)\n\n(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:42:14.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5aa0ab0ba7d94549cfe17d6ef7a4f33ba1de8384"
},
{
"url": "https://git.kernel.org/stable/c/7ac74613e5f2ef3450f44fd2127198662c2563a9"
}
],
"title": "drm/xe: Don\u0027t allow evicting of BOs in same VM in array of VM binds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40086",
"datePublished": "2025-10-30T09:47:56.005Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2026-05-11T21:42:14.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…