Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0018
Vulnerability from certfr_avis - Published: 2026-01-09 - Updated: 2026-01-09
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ubuntu 20.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
},
{
"description": "Ubuntu 18.04 ESM",
"product": {
"name": "Ubuntu",
"vendor": {
"name": "Ubuntu",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-49390",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49390"
},
{
"name": "CVE-2025-37958",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37958"
},
{
"name": "CVE-2025-21855",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21855"
},
{
"name": "CVE-2025-38666",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38666"
},
{
"name": "CVE-2024-50196",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50196"
},
{
"name": "CVE-2024-50095",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50095"
},
{
"name": "CVE-2022-49026",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49026"
},
{
"name": "CVE-2025-39964",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39964"
},
{
"name": "CVE-2025-39993",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39993"
},
{
"name": "CVE-2024-49935",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49935"
},
{
"name": "CVE-2025-40018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40018"
},
{
"name": "CVE-2024-53218",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53218"
},
{
"name": "CVE-2024-53090",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53090"
},
{
"name": "CVE-2024-50067",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50067"
},
{
"name": "CVE-2024-47691",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47691"
}
],
"initial_release_date": "2026-01-09T00:00:00",
"last_revision_date": "2026-01-09T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0018",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux d\u0027Ubuntu. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux d\u0027Ubuntu",
"vendor_advisories": [
{
"published_at": "2026-01-06",
"title": "Bulletin de s\u00e9curit\u00e9 Ubuntu USN-7922-4",
"url": "https://ubuntu.com/security/notices/USN-7922-4"
}
]
}
CVE-2025-37958 (GCVE-0-2025-37958)
Vulnerability from cvelistv5 – Published: 2025-05-20 16:01 – Updated: 2026-05-11 21:18
VLAI
EPSS
Title
mm/huge_memory: fix dereferencing invalid pmd migration entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: fix dereferencing invalid pmd migration entry
When migrating a THP, concurrent access to the PMD migration entry during
a deferred split scan can lead to an invalid address access, as
illustrated below. To prevent this invalid access, it is necessary to
check the PMD migration entry and return early. In this context, there is
no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the
equality of the target folio. Since the PMD migration entry is locked, it
cannot be served as the target.
Mailing list discussion and explanation from Hugh Dickins: "An anon_vma
lookup points to a location which may contain the folio of interest, but
might instead contain another folio: and weeding out those other folios is
precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of
replacing the wrong folio" comment a few lines above it) is for."
BUG: unable to handle page fault for address: ffffea60001db008
CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60
Call Trace:
<TASK>
try_to_migrate_one+0x28c/0x3730
rmap_walk_anon+0x4f6/0x770
unmap_folio+0x196/0x1f0
split_huge_page_to_list_to_order+0x9f6/0x1560
deferred_split_scan+0xac5/0x12a0
shrinker_debugfs_scan_write+0x376/0x470
full_proxy_write+0x15c/0x220
vfs_write+0x2fc/0xcb0
ksys_write+0x146/0x250
do_syscall_64+0x6a/0x120
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug is found by syzkaller on an internal kernel, then confirmed on
upstream.
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 753f142f7ff7d2223a47105b61e1efd91587d711
(git)
Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 9468afbda3fbfcec21ac8132364dff3dab945faf (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < ef5706bed97e240b4abf4233ceb03da7336bc775 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 22f6368768340260e862f35151d2e1c55cb1dc75 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 3977946f61cdba87b6b5aaf7d7094e96089583a5 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < 6166c3cf405441f7147b322980144feb3cefc617 (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < fbab262b0c8226c697af1851a424896ed47dedcc (git) Affected: 84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3 , < be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 (git) |
|
| Linux | Linux |
Affected:
4.14
Unaffected: 0 , < 4.14 (semver) Unaffected: 5.4.295 , ≤ 5.4.* (semver) Unaffected: 5.10.239 , ≤ 5.10.* (semver) Unaffected: 5.15.186 , ≤ 5.15.* (semver) Unaffected: 6.1.142 , ≤ 6.1.* (semver) Unaffected: 6.6.95 , ≤ 6.6.* (semver) Unaffected: 6.12.29 , ≤ 6.12.* (semver) Unaffected: 6.14.7 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:32:46.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "753f142f7ff7d2223a47105b61e1efd91587d711",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "9468afbda3fbfcec21ac8132364dff3dab945faf",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "ef5706bed97e240b4abf4233ceb03da7336bc775",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "22f6368768340260e862f35151d2e1c55cb1dc75",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "3977946f61cdba87b6b5aaf7d7094e96089583a5",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "6166c3cf405441f7147b322980144feb3cefc617",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "fbab262b0c8226c697af1851a424896ed47dedcc",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
},
{
"lessThan": "be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7",
"status": "affected",
"version": "84c3fc4e9c563d8fb91cfdf5948da48fe1af34d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/huge_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.29",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.7",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migration entry\n\nWhen migrating a THP, concurrent access to the PMD migration entry during\na deferred split scan can lead to an invalid address access, as\nillustrated below. To prevent this invalid access, it is necessary to\ncheck the PMD migration entry and return early. In this context, there is\nno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the\nequality of the target folio. Since the PMD migration entry is locked, it\ncannot be served as the target.\n\nMailing list discussion and explanation from Hugh Dickins: \"An anon_vma\nlookup points to a location which may contain the folio of interest, but\nmight instead contain another folio: and weeding out those other folios is\nprecisely what the \"folio != pmd_folio((*pmd)\" check (and the \"risk of\nreplacing the wrong folio\" comment a few lines above it) is for.\"\n\nBUG: unable to handle page fault for address: ffffea60001db008\nCPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60\nCall Trace:\n\u003cTASK\u003e\ntry_to_migrate_one+0x28c/0x3730\nrmap_walk_anon+0x4f6/0x770\nunmap_folio+0x196/0x1f0\nsplit_huge_page_to_list_to_order+0x9f6/0x1560\ndeferred_split_scan+0xac5/0x12a0\nshrinker_debugfs_scan_write+0x376/0x470\nfull_proxy_write+0x15c/0x220\nvfs_write+0x2fc/0xcb0\nksys_write+0x146/0x250\ndo_syscall_64+0x6a/0x120\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe bug is found by syzkaller on an internal kernel, then confirmed on\nupstream."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:18:23.635Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/753f142f7ff7d2223a47105b61e1efd91587d711"
},
{
"url": "https://git.kernel.org/stable/c/9468afbda3fbfcec21ac8132364dff3dab945faf"
},
{
"url": "https://git.kernel.org/stable/c/ef5706bed97e240b4abf4233ceb03da7336bc775"
},
{
"url": "https://git.kernel.org/stable/c/22f6368768340260e862f35151d2e1c55cb1dc75"
},
{
"url": "https://git.kernel.org/stable/c/3977946f61cdba87b6b5aaf7d7094e96089583a5"
},
{
"url": "https://git.kernel.org/stable/c/6166c3cf405441f7147b322980144feb3cefc617"
},
{
"url": "https://git.kernel.org/stable/c/fbab262b0c8226c697af1851a424896ed47dedcc"
},
{
"url": "https://git.kernel.org/stable/c/be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7"
}
],
"title": "mm/huge_memory: fix dereferencing invalid pmd migration entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37958",
"datePublished": "2025-05-20T16:01:51.740Z",
"dateReserved": "2025-04-16T04:51:23.974Z",
"dateUpdated": "2026-05-11T21:18:23.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38666 (GCVE-0-2025-38666)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:02 – Updated: 2026-05-11 21:32
VLAI
EPSS
Title
net: appletalk: Fix use-after-free in AARP proxy probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: appletalk: Fix use-after-free in AARP proxy probe
The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,
releases the aarp_lock, sleeps, then re-acquires the lock. During that
window an expire timer thread (__aarp_expire_timer) can remove and
kfree() the same entry, leading to a use-after-free.
race condition:
cpu 0 | cpu 1
atalk_sendmsg() | atif_proxy_probe_device()
aarp_send_ddp() | aarp_proxy_probe_network()
mod_timer() | lock(aarp_lock) // LOCK!!
timeout around 200ms | alloc(aarp_entry)
and then call | proxies[hash] = aarp_entry
aarp_expire_timeout() | aarp_send_probe()
| unlock(aarp_lock) // UNLOCK!!
lock(aarp_lock) // LOCK!! | msleep(100);
__aarp_expire_timer(&proxies[ct]) |
free(aarp_entry) |
unlock(aarp_lock) // UNLOCK!! |
| lock(aarp_lock) // LOCK!!
| UAF aarp_entry !!
==================================================================
BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
Read of size 4 at addr ffff8880123aa360 by task repro/13278
CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc1/0x630 mm/kasan/report.c:521
kasan_report+0xca/0x100 mm/kasan/report.c:634
aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
sock_do_ioctl+0xdc/0x260 net/socket.c:1190
sock_ioctl+0x239/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated:
aarp_alloc net/appletalk/aarp.c:382 [inline]
aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468
atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
Freed:
kfree+0x148/0x4d0 mm/slub.c:4841
__aarp_expire net/appletalk/aarp.c:90 [inline]
__aarp_expire_timer net/appletalk/aarp.c:261 [inline]
aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317
The buggy address belongs to the object at ffff8880123aa300
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 96 bytes inside of
freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)
Memory state around the buggy address:
ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Severity
No CVSS data available.
Assigner
References
10 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b35694ffabb2af308a1f725d70f60fd8a47d1f3e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82d19a70ced28b17a38ebf1b6978c6c7db894979 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 186942d19c0222617ef61f50e1dba91e269a5963 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a6209e4649d45fd85d4193abc481911858ffc6f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e4f1564c5b699eb89b3040688fd6b4e57922f1f6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5f02ea0f63dd38c41539ea290fcc1693c73aa8e5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f90b6bb203f3f38bf2b3d976113d51571df9a482 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6c4a92d07b0850342d3becf2e608f805e972467c (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.297 , ≤ 5.4.* (semver) Unaffected: 5.10.241 , ≤ 5.10.* (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.148 , ≤ 6.1.* (semver) Unaffected: 6.6.101 , ≤ 6.6.* (semver) Unaffected: 6.12.41 , ≤ 6.12.* (semver) Unaffected: 6.15.9 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:53.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/appletalk/aarp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b35694ffabb2af308a1f725d70f60fd8a47d1f3e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82d19a70ced28b17a38ebf1b6978c6c7db894979",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "186942d19c0222617ef61f50e1dba91e269a5963",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a6209e4649d45fd85d4193abc481911858ffc6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e4f1564c5b699eb89b3040688fd6b4e57922f1f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f02ea0f63dd38c41539ea290fcc1693c73aa8e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f90b6bb203f3f38bf2b3d976113d51571df9a482",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6c4a92d07b0850342d3becf2e608f805e972467c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/appletalk/aarp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix use-after-free in AARP proxy probe\n\nThe AARP proxy\u2010probe routine (aarp_proxy_probe_network) sends a probe,\nreleases the aarp_lock, sleeps, then re-acquires the lock. During that\nwindow an expire timer thread (__aarp_expire_timer) can remove and\nkfree() the same entry, leading to a use-after-free.\n\nrace condition:\n\n cpu 0 | cpu 1\n atalk_sendmsg() | atif_proxy_probe_device()\n aarp_send_ddp() | aarp_proxy_probe_network()\n mod_timer() | lock(aarp_lock) // LOCK!!\n timeout around 200ms | alloc(aarp_entry)\n and then call | proxies[hash] = aarp_entry\n aarp_expire_timeout() | aarp_send_probe()\n | unlock(aarp_lock) // UNLOCK!!\n lock(aarp_lock) // LOCK!! | msleep(100);\n __aarp_expire_timer(\u0026proxies[ct]) |\n free(aarp_entry) |\n unlock(aarp_lock) // UNLOCK!! |\n | lock(aarp_lock) // LOCK!!\n | UAF aarp_entry !!\n\n==================================================================\nBUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\nRead of size 4 at addr ffff8880123aa360 by task repro/13278\n\nCPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc1/0x630 mm/kasan/report.c:521\n kasan_report+0xca/0x100 mm/kasan/report.c:634\n aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n sock_do_ioctl+0xdc/0x260 net/socket.c:1190\n sock_ioctl+0x239/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nAllocated:\n aarp_alloc net/appletalk/aarp.c:382 [inline]\n aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468\n atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]\n atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857\n atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818\n\nFreed:\n kfree+0x148/0x4d0 mm/slub.c:4841\n __aarp_expire net/appletalk/aarp.c:90 [inline]\n __aarp_expire_timer net/appletalk/aarp.c:261 [inline]\n aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317\n\nThe buggy address belongs to the object at ffff8880123aa300\n which belongs to the cache kmalloc-192 of size 192\nThe buggy address is located 96 bytes inside of\n freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)\n\nMemory state around the buggy address:\n ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc\n ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n=================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:32:37.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b35694ffabb2af308a1f725d70f60fd8a47d1f3e"
},
{
"url": "https://git.kernel.org/stable/c/82d19a70ced28b17a38ebf1b6978c6c7db894979"
},
{
"url": "https://git.kernel.org/stable/c/186942d19c0222617ef61f50e1dba91e269a5963"
},
{
"url": "https://git.kernel.org/stable/c/2a6209e4649d45fd85d4193abc481911858ffc6f"
},
{
"url": "https://git.kernel.org/stable/c/e4f1564c5b699eb89b3040688fd6b4e57922f1f6"
},
{
"url": "https://git.kernel.org/stable/c/5f02ea0f63dd38c41539ea290fcc1693c73aa8e5"
},
{
"url": "https://git.kernel.org/stable/c/f90b6bb203f3f38bf2b3d976113d51571df9a482"
},
{
"url": "https://git.kernel.org/stable/c/6c4a92d07b0850342d3becf2e608f805e972467c"
}
],
"title": "net: appletalk: Fix use-after-free in AARP proxy probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38666",
"datePublished": "2025-08-22T16:02:58.144Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2026-05-11T21:32:37.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39964 (GCVE-0-2025-39964)
Vulnerability from cvelistv5 – Published: 2025-10-13 13:48 – Updated: 2026-05-11 21:39
VLAI
EPSS
Title
crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
Issuing two writes to the same af_alg socket is bogus as the
data will be interleaved in an unpredictable fashion. Furthermore,
concurrent writes may create inconsistencies in the internal
socket state.
Disallow this by adding a new ctx->write field that indiciates
exclusive ownership for writing.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 0f28c4adbc4a97437874c9b669fd7958a8c6d6ce
(git)
Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < e4c1ec11132ec466f7362a95f36a506ce4dc08c9 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 1f323a48e9b5ebfe6dc7d130fdf5c3c0e92a07c8 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 7c4491b5644e3a3708f3dbd7591be0a570135b84 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 9aee87da5572b3a14075f501752e209801160d3d (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 45bcf60fe49b37daab1acee57b27211ad1574042 (git) Affected: 8ff590903d5fc7f5a0a988c38267a3d08e6393a2 , < 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 (git) |
|
| Linux | Linux |
Affected:
2.6.38
Unaffected: 0 , < 2.6.38 (semver) Unaffected: 5.10.245 , ≤ 5.10.* (semver) Unaffected: 5.15.194 , ≤ 5.15.* (semver) Unaffected: 6.1.154 , ≤ 6.1.* (semver) Unaffected: 6.6.108 , ≤ 6.6.* (semver) Unaffected: 6.12.49 , ≤ 6.12.* (semver) Unaffected: 6.16.9 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f28c4adbc4a97437874c9b669fd7958a8c6d6ce",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "e4c1ec11132ec466f7362a95f36a506ce4dc08c9",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "1f323a48e9b5ebfe6dc7d130fdf5c3c0e92a07c8",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "7c4491b5644e3a3708f3dbd7591be0a570135b84",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "9aee87da5572b3a14075f501752e209801160d3d",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "45bcf60fe49b37daab1acee57b27211ad1574042",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
},
{
"lessThan": "1b34cbbf4f011a121ef7b2d7d6e6920a036d5285",
"status": "affected",
"version": "8ff590903d5fc7f5a0a988c38267a3d08e6393a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/af_alg.c",
"include/crypto/if_alg.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.154",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.108",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - Disallow concurrent writes in af_alg_sendmsg\n\nIssuing two writes to the same af_alg socket is bogus as the\ndata will be interleaved in an unpredictable fashion. Furthermore,\nconcurrent writes may create inconsistencies in the internal\nsocket state.\n\nDisallow this by adding a new ctx-\u003ewrite field that indiciates\nexclusive ownership for writing."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:39:49.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f28c4adbc4a97437874c9b669fd7958a8c6d6ce"
},
{
"url": "https://git.kernel.org/stable/c/e4c1ec11132ec466f7362a95f36a506ce4dc08c9"
},
{
"url": "https://git.kernel.org/stable/c/1f323a48e9b5ebfe6dc7d130fdf5c3c0e92a07c8"
},
{
"url": "https://git.kernel.org/stable/c/7c4491b5644e3a3708f3dbd7591be0a570135b84"
},
{
"url": "https://git.kernel.org/stable/c/9aee87da5572b3a14075f501752e209801160d3d"
},
{
"url": "https://git.kernel.org/stable/c/45bcf60fe49b37daab1acee57b27211ad1574042"
},
{
"url": "https://git.kernel.org/stable/c/1b34cbbf4f011a121ef7b2d7d6e6920a036d5285"
}
],
"title": "crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39964",
"datePublished": "2025-10-13T13:48:30.334Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2026-05-11T21:39:49.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39993 (GCVE-0-2025-39993)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:58 – Updated: 2026-05-11 21:40
VLAI
EPSS
Title
media: rc: fix races with imon_disconnect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rc: fix races with imon_disconnect()
Syzbot reports a KASAN issue as below:
BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]
BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465
CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:317 [inline]
print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
__create_pipe include/linux/usb.h:1945 [inline]
send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627
vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991
vfs_write+0x2d7/0xdd0 fs/read_write.c:576
ksys_write+0x127/0x250 fs/read_write.c:631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The iMON driver improperly releases the usb_device reference in
imon_disconnect without coordinating with active users of the
device.
Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
protected by the users counter (ictx->users). During probe,
imon_init_intf0 or imon_init_intf1 increments the usb_device
reference count depending on the interface. However, during
disconnect, usb_put_dev is called unconditionally, regardless of
actual usage.
As a result, if vfd_write or other operations are still in
progress after disconnect, this can lead to a use-after-free of
the usb_device pointer.
Thread 1 vfd_write Thread 2 imon_disconnect
...
if
usb_put_dev(ictx->usbdev_intf0)
else
usb_put_dev(ictx->usbdev_intf1)
...
while
send_packet
if
pipe = usb_sndintpipe(
ictx->usbdev_intf0) UAF
else
pipe = usb_sndctrlpipe(
ictx->usbdev_intf0, 0) UAF
Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by
checking ictx->disconnected in all writer paths. Add early return
with -ENODEV in send_packet(), vfd_write(), lcd_write() and
display_open() if the device is no longer present.
Set and read ictx->disconnected under ictx->lock to ensure memory
synchronization. Acquire the lock in imon_disconnect() before setting
the flag to synchronize with any ongoing operations.
Ensure writers exit early and safely after disconnect before the USB
core proceeds with cleanup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
21677cfc562a27e099719d413287bc8d1d24deb7 , < 9348976003e39754af344949579e824a0a210fc4
(git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < b03fac6e2a38331faf8510b480becfa90cea1c9f (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 71c52b073922d05e79e6de7fc7f5f38f927929a4 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 71096a6161a25e84acddb89a9d77f138502d26ab (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 71da40648741d15b302700b68973fe8b382aef3c (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < d9f6ce99624a41c3bcb29a8d7d79b800665229dd (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 2e7fd93b9cc565b839bc55a6662475718963e156 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < fa0f61cc1d828178aa921475a9b786e7fbb65ccb (git) |
|
| Linux | Linux |
Affected:
2.6.35
Unaffected: 0 , < 2.6.35 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.110 , ≤ 6.6.* (semver) Unaffected: 6.12.51 , ≤ 6.12.* (semver) Unaffected: 6.16.11 , ≤ 6.16.* (semver) Unaffected: 6.17.1 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9348976003e39754af344949579e824a0a210fc4",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "b03fac6e2a38331faf8510b480becfa90cea1c9f",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71c52b073922d05e79e6de7fc7f5f38f927929a4",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71096a6161a25e84acddb89a9d77f138502d26ab",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "71da40648741d15b302700b68973fe8b382aef3c",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "d9f6ce99624a41c3bcb29a8d7d79b800665229dd",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "2e7fd93b9cc565b839bc55a6662475718963e156",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "fa0f61cc1d828178aa921475a9b786e7fbb65ccb",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.110",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.51",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.11",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: fix races with imon_disconnect()\n\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\n\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\n\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx-\u003eusers). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\n\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\n\nThread 1 vfd_write Thread 2 imon_disconnect\n ...\n if\n usb_put_dev(ictx-\u003eusbdev_intf0)\n else\n usb_put_dev(ictx-\u003eusbdev_intf1)\n...\nwhile\n send_packet\n if\n pipe = usb_sndintpipe(\n ictx-\u003eusbdev_intf0) UAF\n else\n pipe = usb_sndctrlpipe(\n ictx-\u003eusbdev_intf0, 0) UAF\n\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx-\u003edisconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\n\nSet and read ictx-\u003edisconnected under ictx-\u003elock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\n\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:40:23.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9348976003e39754af344949579e824a0a210fc4"
},
{
"url": "https://git.kernel.org/stable/c/b03fac6e2a38331faf8510b480becfa90cea1c9f"
},
{
"url": "https://git.kernel.org/stable/c/71c52b073922d05e79e6de7fc7f5f38f927929a4"
},
{
"url": "https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab"
},
{
"url": "https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c"
},
{
"url": "https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5"
},
{
"url": "https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd"
},
{
"url": "https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156"
},
{
"url": "https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb"
}
],
"title": "media: rc: fix races with imon_disconnect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39993",
"datePublished": "2025-10-15T07:58:18.621Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2026-05-11T21:40:23.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40018 (GCVE-0-2025-40018)
Vulnerability from cvelistv5 – Published: 2025-10-24 11:44 – Updated: 2026-05-11 21:40
VLAI
EPSS
Title
ipvs: Defer ip_vs_ftp unregister during netns cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvs: Defer ip_vs_ftp unregister during netns cleanup
On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp
before connections with valid cp->app pointers are flushed, leading to a
use-after-free.
Fix this by introducing a global `exiting_module` flag, set to true in
ip_vs_ftp_exit() before unregistering the pernet subsystem. In
__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns
cleanup (when exiting_module is false) and defer it to
__ip_vs_cleanup_batch(), which unregisters all apps after all connections
are flushed. If called during module exit, unregister ip_vs_ftp
immediately.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
61b1ab4583e275af216c8454b9256de680499b19 , < 8a6ecab3847c213ce2855b0378e63ce839085de3
(git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 421b1ae1574dfdda68b835c15ac4921ec0030182 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 1d79471414d7b9424d699afff2aa79fff322f52d (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 53717f8a4347b78eac6488072ad8e5adbaff38d9 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 8cbe2a21d85727b66d7c591fd5d83df0d8c4f757 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < dc1a481359a72ee7e548f1f5da671282a7c13b8f (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < a343811ef138a265407167294275201621e9ebb2 (git) Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 134121bfd99a06d44ef5ba15a9beb075297c0821 (git) |
|
| Linux | Linux |
Affected:
2.6.39
Unaffected: 0 , < 2.6.39 (semver) Unaffected: 5.4.301 , ≤ 5.4.* (semver) Unaffected: 5.10.246 , ≤ 5.10.* (semver) Unaffected: 5.15.195 , ≤ 5.15.* (semver) Unaffected: 6.1.156 , ≤ 6.1.* (semver) Unaffected: 6.6.112 , ≤ 6.6.* (semver) Unaffected: 6.12.53 , ≤ 6.12.* (semver) Unaffected: 6.17.3 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_ftp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a6ecab3847c213ce2855b0378e63ce839085de3",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "421b1ae1574dfdda68b835c15ac4921ec0030182",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "1d79471414d7b9424d699afff2aa79fff322f52d",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "53717f8a4347b78eac6488072ad8e5adbaff38d9",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "8cbe2a21d85727b66d7c591fd5d83df0d8c4f757",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "dc1a481359a72ee7e548f1f5da671282a7c13b8f",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "a343811ef138a265407167294275201621e9ebb2",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
},
{
"lessThan": "134121bfd99a06d44ef5ba15a9beb075297c0821",
"status": "affected",
"version": "61b1ab4583e275af216c8454b9256de680499b19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipvs/ip_vs_ftp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp-\u003eapp pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:40:53.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a6ecab3847c213ce2855b0378e63ce839085de3"
},
{
"url": "https://git.kernel.org/stable/c/421b1ae1574dfdda68b835c15ac4921ec0030182"
},
{
"url": "https://git.kernel.org/stable/c/1d79471414d7b9424d699afff2aa79fff322f52d"
},
{
"url": "https://git.kernel.org/stable/c/53717f8a4347b78eac6488072ad8e5adbaff38d9"
},
{
"url": "https://git.kernel.org/stable/c/8cbe2a21d85727b66d7c591fd5d83df0d8c4f757"
},
{
"url": "https://git.kernel.org/stable/c/dc1a481359a72ee7e548f1f5da671282a7c13b8f"
},
{
"url": "https://git.kernel.org/stable/c/a343811ef138a265407167294275201621e9ebb2"
},
{
"url": "https://git.kernel.org/stable/c/134121bfd99a06d44ef5ba15a9beb075297c0821"
}
],
"title": "ipvs: Defer ip_vs_ftp unregister during netns cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40018",
"datePublished": "2025-10-24T11:44:28.955Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2026-05-11T21:40:53.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…