Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0057
Vulnerability from certfr_avis - Published: 2026-01-16 - Updated: 2026-01-16
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian LTS bullseye versions ant\u00e9rieures \u00e0 6.1.159-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40273"
},
{
"name": "CVE-2025-68286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68286"
},
{
"name": "CVE-2025-40314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40314"
},
{
"name": "CVE-2025-40306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40306"
},
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-68200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68200"
},
{
"name": "CVE-2025-68176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68176"
},
{
"name": "CVE-2025-68204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68204"
},
{
"name": "CVE-2025-68283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68283"
},
{
"name": "CVE-2025-68246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68246"
},
{
"name": "CVE-2025-68339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68339"
},
{
"name": "CVE-2025-68295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68295"
},
{
"name": "CVE-2025-40285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40285"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40294"
},
{
"name": "CVE-2025-40312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40312"
},
{
"name": "CVE-2025-68220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68220"
},
{
"name": "CVE-2025-68302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68302"
},
{
"name": "CVE-2025-68238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68238"
},
{
"name": "CVE-2025-40309",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40309"
},
{
"name": "CVE-2025-40343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40343"
},
{
"name": "CVE-2025-68173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68173"
},
{
"name": "CVE-2025-68307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68307"
},
{
"name": "CVE-2025-40308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40308"
},
{
"name": "CVE-2025-40315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40315"
},
{
"name": "CVE-2025-68231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68231"
},
{
"name": "CVE-2025-68310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68310"
},
{
"name": "CVE-2025-68229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68229"
},
{
"name": "CVE-2025-68321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68321"
},
{
"name": "CVE-2025-40360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40360"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-40313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40313"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2025-68308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68308"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-68218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68218"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-40272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40272"
},
{
"name": "CVE-2025-40345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40345"
},
{
"name": "CVE-2025-38057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38057"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-68330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68330"
},
{
"name": "CVE-2025-68343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68343"
},
{
"name": "CVE-2025-37899",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37899"
},
{
"name": "CVE-2025-40292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40292"
},
{
"name": "CVE-2025-68237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68237"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2025-68284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68284"
},
{
"name": "CVE-2025-68194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68194"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-68244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68244"
},
{
"name": "CVE-2024-47666",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47666"
},
{
"name": "CVE-2025-40278",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40278"
},
{
"name": "CVE-2025-40342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40342"
},
{
"name": "CVE-2025-40279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40279"
},
{
"name": "CVE-2025-68328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68328"
},
{
"name": "CVE-2025-40341",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40341"
},
{
"name": "CVE-2025-38593",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38593"
},
{
"name": "CVE-2025-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40283"
},
{
"name": "CVE-2025-40324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40324"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2025-40321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40321"
},
{
"name": "CVE-2025-40282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40282"
},
{
"name": "CVE-2025-68192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68192"
},
{
"name": "CVE-2025-40214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40214"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-68171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68171"
},
{
"name": "CVE-2025-38678",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38678"
},
{
"name": "CVE-2025-40301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40301"
},
{
"name": "CVE-2025-40286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40286"
},
{
"name": "CVE-2025-68327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68327"
},
{
"name": "CVE-2025-40318",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40318"
},
{
"name": "CVE-2025-68241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68241"
},
{
"name": "CVE-2025-68734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68734"
},
{
"name": "CVE-2025-68288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68288"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-40331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40331"
},
{
"name": "CVE-2025-68290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68290"
},
{
"name": "CVE-2025-40280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40280"
},
{
"name": "CVE-2025-40293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40293"
},
{
"name": "CVE-2025-68331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68331"
},
{
"name": "CVE-2025-68214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68214"
},
{
"name": "CVE-2025-40284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40284"
},
{
"name": "CVE-2025-40211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40211"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2025-68303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68303"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-68168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68168"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2025-40297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40297"
},
{
"name": "CVE-2025-68217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68217"
},
{
"name": "CVE-2025-68289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68289"
},
{
"name": "CVE-2025-40363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40363"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-68245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68245"
},
{
"name": "CVE-2025-40317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40317"
},
{
"name": "CVE-2025-68233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68233"
},
{
"name": "CVE-2025-68282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68282"
},
{
"name": "CVE-2025-68177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68177"
},
{
"name": "CVE-2025-68191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68191"
},
{
"name": "CVE-2025-40288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40288"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-40281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40281"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2025-40304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40304"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-40323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40323"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2025-40275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40275"
},
{
"name": "CVE-2025-68227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68227"
},
{
"name": "CVE-2025-40319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40319"
}
],
"initial_release_date": "2026-01-16T00:00:00",
"last_revision_date": "2026-01-16T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0057",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS DLA-4436-1",
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00007.html"
}
]
}
CVE-2025-40317 (GCVE-0-2025-40317)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-05-11 21:47
VLAI
EPSS
Title
regmap: slimbus: fix bus_context pointer in regmap init calls
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: slimbus: fix bus_context pointer in regmap init calls
Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in
wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap.
That commit breaks audio playback, for instance, on sdm845 Thundercomm
Dragonboard 845c board:
Unable to handle kernel paging request at virtual address ffff8000847cbad4
...
CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT
Hardware name: Thundercomm Dragonboard 845c (DT)
...
Call trace:
slim_xfer_msg+0x24/0x1ac [slimbus] (P)
slim_read+0x48/0x74 [slimbus]
regmap_slimbus_read+0x18/0x24 [regmap_slimbus]
_regmap_raw_read+0xe8/0x174
_regmap_bus_read+0x44/0x80
_regmap_read+0x60/0xd8
_regmap_update_bits+0xf4/0x140
_regmap_select_page+0xa8/0x124
_regmap_raw_write_impl+0x3b8/0x65c
_regmap_bus_raw_write+0x60/0x80
_regmap_write+0x58/0xc0
regmap_write+0x4c/0x80
wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]
snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]
__soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]
dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]
dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]
snd_pcm_hw_params+0x124/0x464 [snd_pcm]
snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]
snd_pcm_ioctl+0x34/0x4c [snd_pcm]
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x104
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xec
el0t_64_sync_handler+0xa0/0xf0
el0t_64_sync+0x198/0x19c
The __devm_regmap_init_slimbus() started to be used instead of
__regmap_init_slimbus() after the commit mentioned above and turns out
the incorrect bus_context pointer (3rd argument) was used in
__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal
to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or
the first user of devm_regmap_init_slimbus() but we should fix it till
the point where __devm_regmap_init_slimbus() was introduced therefore
two "Fixes" tags.
While at this, also correct the same argument in __regmap_init_slimbus().
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7d6f7fb053ad543da74119df3c4cd7bb46220471 , < c0f05129e5734ff3fd14b2c242709314d9ca5433
(git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1 (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < d979639f099c6e51f06ce4dd8d8e56364d6c17ba (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 8143e4075d131c528540417a51966f6697be14eb (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < a16e92f8d7dc7371e68f17a9926cb92d2244be7b (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < b65f3303349eaee333e47d2a99045aa12fa0c3a7 (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 434f7349a1f00618a620b316f091bd13a12bc8d2 (git) |
|
| Linux | Linux |
Affected:
4.16
Unaffected: 0 , < 4.16 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0f05129e5734ff3fd14b2c242709314d9ca5433",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "d979639f099c6e51f06ce4dd8d8e56364d6c17ba",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "8143e4075d131c528540417a51966f6697be14eb",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "a16e92f8d7dc7371e68f17a9926cb92d2244be7b",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "b65f3303349eaee333e47d2a99045aa12fa0c3a7",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "434f7349a1f00618a620b316f091bd13a12bc8d2",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: slimbus: fix bus_context pointer in regmap init calls\n\nCommit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in\nwcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap.\nThat commit breaks audio playback, for instance, on sdm845 Thundercomm\nDragonboard 845c board:\n\n Unable to handle kernel paging request at virtual address ffff8000847cbad4\n ...\n CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT\n Hardware name: Thundercomm Dragonboard 845c (DT)\n ...\n Call trace:\n slim_xfer_msg+0x24/0x1ac [slimbus] (P)\n slim_read+0x48/0x74 [slimbus]\n regmap_slimbus_read+0x18/0x24 [regmap_slimbus]\n _regmap_raw_read+0xe8/0x174\n _regmap_bus_read+0x44/0x80\n _regmap_read+0x60/0xd8\n _regmap_update_bits+0xf4/0x140\n _regmap_select_page+0xa8/0x124\n _regmap_raw_write_impl+0x3b8/0x65c\n _regmap_bus_raw_write+0x60/0x80\n _regmap_write+0x58/0xc0\n regmap_write+0x4c/0x80\n wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]\n snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]\n __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]\n dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]\n dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]\n snd_pcm_hw_params+0x124/0x464 [snd_pcm]\n snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]\n snd_pcm_ioctl+0x34/0x4c [snd_pcm]\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xec\n el0t_64_sync_handler+0xa0/0xf0\n el0t_64_sync+0x198/0x19c\n\nThe __devm_regmap_init_slimbus() started to be used instead of\n__regmap_init_slimbus() after the commit mentioned above and turns out\nthe incorrect bus_context pointer (3rd argument) was used in\n__devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal\nto \u0026slimbus-\u003edev). Correct it. The wcd934x codec seems to be the only or\nthe first user of devm_regmap_init_slimbus() but we should fix it till\nthe point where __devm_regmap_init_slimbus() was introduced therefore\ntwo \"Fixes\" tags.\n\nWhile at this, also correct the same argument in __regmap_init_slimbus()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:01.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433"
},
{
"url": "https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1"
},
{
"url": "https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba"
},
{
"url": "https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb"
},
{
"url": "https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c"
},
{
"url": "https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b"
},
{
"url": "https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7"
},
{
"url": "https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2"
}
],
"title": "regmap: slimbus: fix bus_context pointer in regmap init calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40317",
"datePublished": "2025-12-08T00:46:44.287Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-11T21:47:01.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40318 (GCVE-0-2025-40318)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-05-23 16:02
VLAI
EPSS
Title
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".
Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f00f36db76eb8fd10d13e80e2590f23b5beaa54d , < 0a94f7e017438935c09ef833a1aa908ad9875213
(git)
Affected: 1499f79995c7ee58e3bfeeff75f6d1b37dcda881 , < 932c0a4f77ac13e526fdd5b42914d29c9821d389 (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < ae76cf6c2c842944c6514c57df54d728f1916553 (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 9cd536970192b72257afcdfba0bfc09993e6f19c (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 (git) Affected: 357603f4d396d85fbf0045512efaf1d7f7394ed7 (git) Affected: 6.1.120 , < 6.1.159 (semver) Affected: 6.6.51 , < 6.6.117 (semver) Affected: 6.8.9 , < 6.9 (semver) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a94f7e017438935c09ef833a1aa908ad9875213",
"status": "affected",
"version": "f00f36db76eb8fd10d13e80e2590f23b5beaa54d",
"versionType": "git"
},
{
"lessThan": "932c0a4f77ac13e526fdd5b42914d29c9821d389",
"status": "affected",
"version": "1499f79995c7ee58e3bfeeff75f6d1b37dcda881",
"versionType": "git"
},
{
"lessThan": "ae76cf6c2c842944c6514c57df54d728f1916553",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"lessThan": "9cd536970192b72257afcdfba0bfc09993e6f19c",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"lessThan": "09b0cd1297b4dbfe736aeaa0ceeab2265f47f772",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"status": "affected",
"version": "357603f4d396d85fbf0045512efaf1d7f7394ed7",
"versionType": "git"
},
{
"lessThan": "6.1.159",
"status": "affected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThan": "6.6.117",
"status": "affected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThan": "6.9",
"status": "affected",
"version": "6.8.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once\n\nhci_cmd_sync_dequeue_once() does lookup and then cancel\nthe entry under two separate lock sections. Meanwhile,\nhci_cmd_sync_work() can also delete the same entry,\nleading to double list_del() and \"UAF\".\n\nFix this by holding cmd_sync_work_lock across both\nlookup and cancel, so that the entry cannot be removed\nconcurrently."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:06.620Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213"
},
{
"url": "https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389"
},
{
"url": "https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553"
},
{
"url": "https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c"
},
{
"url": "https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772"
}
],
"title": "Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40318",
"datePublished": "2025-12-08T00:46:45.382Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-23T16:02:06.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40319 (GCVE-0-2025-40319)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-05-11 21:47
VLAI
EPSS
Title
bpf: Sync pending IRQ work before freeing ring buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Sync pending IRQ work before freeing ring buffer
Fix a race where irq_work can be queued in bpf_ringbuf_commit()
but the ring buffer is freed before the work executes.
In the syzbot reproducer, a BPF program attached to sched_switch
triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
is freed before this work executes, the irq_work thread may accesses
freed memory.
Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
complete before freeing the buffer.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
457f44363a8894135c85b7a9afd2bd8196db24ab , < 47626748a2a00068dbbd5836d19076637b4e235b
(git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < de2ce6b14bc3e565708a39bdba3ef9162aeffc72 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < e1828c7a8d8135e21ff6adaaa9458c32aae13b11 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 6451141103547f4efd774e912418a3b4318046c6 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 10ca3b2eec384628bc9f5d8190aed9427ad2dde6 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 430e15544f11f8de26b2b5109c7152f71b78295e (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47626748a2a00068dbbd5836d19076637b4e235b",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "de2ce6b14bc3e565708a39bdba3ef9162aeffc72",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "e1828c7a8d8135e21ff6adaaa9458c32aae13b11",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "6451141103547f4efd774e912418a3b4318046c6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "10ca3b2eec384628bc9f5d8190aed9427ad2dde6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "430e15544f11f8de26b2b5109c7152f71b78295e",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "4e9077638301816a7d73fa1e1b4c1db4a7e3b59c",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Sync pending IRQ work before freeing ring buffer\n\nFix a race where irq_work can be queued in bpf_ringbuf_commit()\nbut the ring buffer is freed before the work executes.\nIn the syzbot reproducer, a BPF program attached to sched_switch\ntriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer\nis freed before this work executes, the irq_work thread may accesses\nfreed memory.\nCalling `irq_work_sync(\u0026rb-\u003ework)` ensures that all pending irq_work\ncomplete before freeing the buffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:03.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b"
},
{
"url": "https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72"
},
{
"url": "https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11"
},
{
"url": "https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6"
},
{
"url": "https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6"
},
{
"url": "https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e"
},
{
"url": "https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c"
}
],
"title": "bpf: Sync pending IRQ work before freeing ring buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40319",
"datePublished": "2025-12-08T00:46:46.448Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-11T21:47:03.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40321 (GCVE-0-2025-40321)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-05-11 21:47
VLAI
EPSS
Title
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Currently, whenever there is a need to transmit an Action frame,
the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to
firmware. The P2P interfaces were available when wpa_supplicant is managing
the wlan interface.
However, the P2P interfaces are not created/initialized when only hostapd
is managing the wlan interface. And if hostapd receives an ANQP Query REQ
Action frame even from an un-associated STA, the brcmfmac driver tries
to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.
This NULL pointer dereferencing triggers a driver crash.
[ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[...]
[ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
[...]
[ 1417.075653] Call trace:
[ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
[ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
[ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]
[ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]
[ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158
[ 1417.076302] genl_rcv_msg+0x220/0x2a0
[ 1417.076317] netlink_rcv_skb+0x68/0x140
[ 1417.076330] genl_rcv+0x40/0x60
[ 1417.076343] netlink_unicast+0x330/0x3b8
[ 1417.076357] netlink_sendmsg+0x19c/0x3f8
[ 1417.076370] __sock_sendmsg+0x64/0xc0
[ 1417.076391] ____sys_sendmsg+0x268/0x2a0
[ 1417.076408] ___sys_sendmsg+0xb8/0x118
[ 1417.076427] __sys_sendmsg+0x90/0xf8
[ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40
[ 1417.076465] invoke_syscall+0x50/0x120
[ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0
[ 1417.076506] do_el0_svc+0x24/0x38
[ 1417.076525] el0_svc+0x30/0x100
[ 1417.076548] el0t_64_sync_handler+0x100/0x130
[ 1417.076569] el0t_64_sync+0x190/0x198
[ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Fix this, by always using the vif corresponding to the wdev on which the
Action frame Transmission request was initiated by the userspace. This way,
even if P2P vif is not available, the IOVAR is sent to firmware on AP vif
and the ANQP Query RESP Action frame is transmitted without crashing the
driver.
Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()
to brcmf_p2p_attach(). Because the former function would not get executed
when only hostapd is managing wlan interface, and it is not safe to do
reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior
init_completion().
And in the brcmf_p2p_tx_action_frame() function, the condition check for
P2P Presence response frame is not needed, since the wpa_supplicant is
properly sending the P2P Presense Response frame on the P2P-GO vif instead
of the P2P-Device vif.
[Cc stable]
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c863b9c7b4e9af0b7931cb791ec91971a50f1a25
(git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < e1fc9afcce9139791260f962541282d47fbb508d (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 55f60a72a178909ece4e32987e4c642ba57e1cf4 (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c2b0f8d3e7358c33d90f0e62765d474f25f26a45 (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 64e3175d1c8a3bea02032e7c9d1befd5f43786fa (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < a6eed58249e7d60f856900e682992300f770f64b (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 3776c685ebe5f43e9060af06872661de55e80b9a (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c863b9c7b4e9af0b7931cb791ec91971a50f1a25",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "e1fc9afcce9139791260f962541282d47fbb508d",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "55f60a72a178909ece4e32987e4c642ba57e1cf4",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "c2b0f8d3e7358c33d90f0e62765d474f25f26a45",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "64e3175d1c8a3bea02032e7c9d1befd5f43786fa",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "a6eed58249e7d60f856900e682992300f770f64b",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "3776c685ebe5f43e9060af06872661de55e80b9a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode\n\nCurrently, whenever there is a need to transmit an Action frame,\nthe brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to\nfirmware. The P2P interfaces were available when wpa_supplicant is managing\nthe wlan interface.\n\nHowever, the P2P interfaces are not created/initialized when only hostapd\nis managing the wlan interface. And if hostapd receives an ANQP Query REQ\nAction frame even from an un-associated STA, the brcmfmac driver tries\nto use an uninitialized P2P vif pointer for sending the IOVAR to firmware.\nThis NULL pointer dereferencing triggers a driver crash.\n\n [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000000\n [...]\n [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n [...]\n [ 1417.075653] Call trace:\n [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]\n [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]\n [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]\n [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]\n [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158\n [ 1417.076302] genl_rcv_msg+0x220/0x2a0\n [ 1417.076317] netlink_rcv_skb+0x68/0x140\n [ 1417.076330] genl_rcv+0x40/0x60\n [ 1417.076343] netlink_unicast+0x330/0x3b8\n [ 1417.076357] netlink_sendmsg+0x19c/0x3f8\n [ 1417.076370] __sock_sendmsg+0x64/0xc0\n [ 1417.076391] ____sys_sendmsg+0x268/0x2a0\n [ 1417.076408] ___sys_sendmsg+0xb8/0x118\n [ 1417.076427] __sys_sendmsg+0x90/0xf8\n [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40\n [ 1417.076465] invoke_syscall+0x50/0x120\n [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0\n [ 1417.076506] do_el0_svc+0x24/0x38\n [ 1417.076525] el0_svc+0x30/0x100\n [ 1417.076548] el0t_64_sync_handler+0x100/0x130\n [ 1417.076569] el0t_64_sync+0x190/0x198\n [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)\n\nFix this, by always using the vif corresponding to the wdev on which the\nAction frame Transmission request was initiated by the userspace. This way,\neven if P2P vif is not available, the IOVAR is sent to firmware on AP vif\nand the ANQP Query RESP Action frame is transmitted without crashing the\ndriver.\n\nMove init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev()\nto brcmf_p2p_attach(). Because the former function would not get executed\nwhen only hostapd is managing wlan interface, and it is not safe to do\nreinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior\ninit_completion().\n\nAnd in the brcmf_p2p_tx_action_frame() function, the condition check for\nP2P Presence response frame is not needed, since the wpa_supplicant is\nproperly sending the P2P Presense Response frame on the P2P-GO vif instead\nof the P2P-Device vif.\n\n[Cc stable]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:06.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25"
},
{
"url": "https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d"
},
{
"url": "https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4"
},
{
"url": "https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45"
},
{
"url": "https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa"
},
{
"url": "https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b"
},
{
"url": "https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a"
},
{
"url": "https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a"
}
],
"title": "wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40321",
"datePublished": "2025-12-08T00:46:48.724Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-11T21:47:06.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40322 (GCVE-0-2025-40322)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-06-16 19:34
VLAI
EPSS
Title
fbdev: bitblit: bound-check glyph index in bit_putcs*
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: bitblit: bound-check glyph index in bit_putcs*
bit_putcs_aligned()/unaligned() derived the glyph pointer from the
character value masked by 0xff/0x1ff, which may exceed the actual font's
glyph count and read past the end of the built-in font array.
Clamp the index to the actual glyph count before computing the address.
This fixes a global out-of-bounds read reported by syzbot.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a10cede006f9614b465cf25609a8753efbfd45cc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0998a6cb232674408a03e8561dc15aa266b2f53b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < db5c9a162d2f42bcc842b76b3d935dcc050a0eec (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c12003bf91fdff381c55ef54fef3e961a5af2545 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9ba1a7802ca9a2590cef95b253e6526f4364477f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901f44227072be60812fe8083e83e1533c04eed1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < efaf89a75a29b2d179bf4fe63ca62852e93ad620 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18c4ef4e765a798b47980555ed665d78b71aeadf (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:33:40.857434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:34:17.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a10cede006f9614b465cf25609a8753efbfd45cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0998a6cb232674408a03e8561dc15aa266b2f53b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db5c9a162d2f42bcc842b76b3d935dcc050a0eec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c12003bf91fdff381c55ef54fef3e961a5af2545",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ba1a7802ca9a2590cef95b253e6526f4364477f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "901f44227072be60812fe8083e83e1533c04eed1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efaf89a75a29b2d179bf4fe63ca62852e93ad620",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18c4ef4e765a798b47980555ed665d78b71aeadf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: bitblit: bound-check glyph index in bit_putcs*\n\nbit_putcs_aligned()/unaligned() derived the glyph pointer from the\ncharacter value masked by 0xff/0x1ff, which may exceed the actual font\u0027s\nglyph count and read past the end of the built-in font array.\nClamp the index to the actual glyph count before computing the address.\n\nThis fixes a global out-of-bounds read reported by syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:07.441Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc"
},
{
"url": "https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b"
},
{
"url": "https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec"
},
{
"url": "https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545"
},
{
"url": "https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f"
},
{
"url": "https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1"
},
{
"url": "https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620"
},
{
"url": "https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf"
}
],
"title": "fbdev: bitblit: bound-check glyph index in bit_putcs*",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40322",
"datePublished": "2025-12-08T00:46:49.773Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-06-16T19:34:17.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40323 (GCVE-0-2025-40323)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-05-11 21:47
VLAI
EPSS
Title
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Recently, we discovered the following issue through syzkaller:
BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0
Read of size 4 at addr ff11000001b3c69c by task syz.xxx
...
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_address_description.constprop.0+0x2c/0x390
print_report+0xb9/0x280
kasan_report+0xb8/0xf0
fb_mode_is_equal+0x285/0x2f0
fbcon_mode_deleted+0x129/0x180
fb_set_var+0xe7f/0x11d0
do_fb_ioctl+0x6a0/0x750
fb_ioctl+0xe0/0x140
__x64_sys_ioctl+0x193/0x210
do_syscall_64+0x5f/0x9c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Based on experimentation and analysis, during framebuffer unregistration,
only the memory of fb_info->modelist is freed, without setting the
corresponding fb_display[i]->mode to NULL for the freed modes. This leads
to UAF issues during subsequent accesses. Here's an example of reproduction
steps:
1. With /dev/fb0 already registered in the system, load a kernel module
to register a new device /dev/fb1;
2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
3. Switch console from fb to VGA (to allow normal rmmod of the ko);
4. Unload the kernel module, at this point fb1's modelist is freed, leaving
a wild pointer in fb_display[];
5. Trigger the bug via system calls through fb0 attempting to delete a mode
from fb0.
Add a check in do_unregister_framebuffer(): if the mode to be freed exists
in fb_display[], set the corresponding mode pointer to NULL.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 39c2c1a2773aaf73e56906e5ef670114eb2d354f
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 468f78276a37f4c6499385a4ce28f4f57be6655d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c079d42f70109512eee49123a843be91d8fa133f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1f3058930745d2b938b6b4f5bd9630dc74b26b7 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c",
"drivers/video/fbdev/core/fbmem.c",
"include/linux/fbcon.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39c2c1a2773aaf73e56906e5ef670114eb2d354f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "468f78276a37f4c6499385a4ce28f4f57be6655d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c079d42f70109512eee49123a843be91d8fa133f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de89d19f4f30d9a8de87b9d08c1bd35cb70576d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1f3058930745d2b938b6b4f5bd9630dc74b26b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c",
"drivers/video/fbdev/core/fbmem.c",
"include/linux/fbcon.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Set fb_display[i]-\u003emode to NULL when the mode is released\n\nRecently, we discovered the following issue through syzkaller:\n\nBUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0\nRead of size 4 at addr ff11000001b3c69c by task syz.xxx\n...\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xab/0xe0\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb9/0x280\n kasan_report+0xb8/0xf0\n fb_mode_is_equal+0x285/0x2f0\n fbcon_mode_deleted+0x129/0x180\n fb_set_var+0xe7f/0x11d0\n do_fb_ioctl+0x6a0/0x750\n fb_ioctl+0xe0/0x140\n __x64_sys_ioctl+0x193/0x210\n do_syscall_64+0x5f/0x9c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nBased on experimentation and analysis, during framebuffer unregistration,\nonly the memory of fb_info-\u003emodelist is freed, without setting the\ncorresponding fb_display[i]-\u003emode to NULL for the freed modes. This leads\nto UAF issues during subsequent accesses. Here\u0027s an example of reproduction\nsteps:\n1. With /dev/fb0 already registered in the system, load a kernel module\n to register a new device /dev/fb1;\n2. Set fb1\u0027s mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);\n3. Switch console from fb to VGA (to allow normal rmmod of the ko);\n4. Unload the kernel module, at this point fb1\u0027s modelist is freed, leaving\n a wild pointer in fb_display[];\n5. Trigger the bug via system calls through fb0 attempting to delete a mode\n from fb0.\n\nAdd a check in do_unregister_framebuffer(): if the mode to be freed exists\nin fb_display[], set the corresponding mode pointer to NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:08.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39c2c1a2773aaf73e56906e5ef670114eb2d354f"
},
{
"url": "https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb"
},
{
"url": "https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d"
},
{
"url": "https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f"
},
{
"url": "https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8"
},
{
"url": "https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7"
}
],
"title": "fbcon: Set fb_display[i]-\u003emode to NULL when the mode is released",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40323",
"datePublished": "2025-12-08T00:46:50.833Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-11T21:47:08.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40324 (GCVE-0-2025-40324)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-05-23 16:02
VLAI
EPSS
Title
NFSD: Fix crash in nfsd4_read_release()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix crash in nfsd4_read_release()
When tracing is enabled, the trace_nfsd_read_done trace point
crashes during the pynfs read.testNoFh test.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
65a33135e91e6dd661ecdf1194b9d90c49ae3570 , < 930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1
(git)
Affected: b11d8162c24af4a351d21e2c804d25ca493305e3 , < 375fdd8993cecc48afa359728a6e70b280dde1c8 (git) Affected: b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3 , < 2ac46606b2cc49e78d8e3d8f2685e79e9ba73020 (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 03524ccff698d4a77d096ed529073d91f5edee5d (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < a4948875ed0599c037dc438c11891c9012721b1d (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 8f244b773c63fa480c9a3bd1ae04f5272f285e89 (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < abb1f08a2121dd270193746e43b2a9373db9ad84 (git) Affected: 3d0dcada384af22dec764c8374a2997870ec86ae (git) Affected: 5.10.220 , < 5.10.247 (semver) Affected: 5.15.154 , < 5.15.197 (semver) Affected: 6.1.24 , < 6.1.159 (semver) Affected: 6.2.11 , < 6.3 (semver) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1",
"status": "affected",
"version": "65a33135e91e6dd661ecdf1194b9d90c49ae3570",
"versionType": "git"
},
{
"lessThan": "375fdd8993cecc48afa359728a6e70b280dde1c8",
"status": "affected",
"version": "b11d8162c24af4a351d21e2c804d25ca493305e3",
"versionType": "git"
},
{
"lessThan": "2ac46606b2cc49e78d8e3d8f2685e79e9ba73020",
"status": "affected",
"version": "b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3",
"versionType": "git"
},
{
"lessThan": "03524ccff698d4a77d096ed529073d91f5edee5d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "a4948875ed0599c037dc438c11891c9012721b1d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "8f244b773c63fa480c9a3bd1ae04f5272f285e89",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "abb1f08a2121dd270193746e43b2a9373db9ad84",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"status": "affected",
"version": "3d0dcada384af22dec764c8374a2997870ec86ae",
"versionType": "git"
},
{
"lessThan": "5.10.247",
"status": "affected",
"version": "5.10.220",
"versionType": "semver"
},
{
"lessThan": "5.15.197",
"status": "affected",
"version": "5.15.154",
"versionType": "semver"
},
{
"lessThan": "6.1.159",
"status": "affected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThan": "6.3",
"status": "affected",
"version": "6.2.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix crash in nfsd4_read_release()\n\nWhen tracing is enabled, the trace_nfsd_read_done trace point\ncrashes during the pynfs read.testNoFh test."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:08.613Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1"
},
{
"url": "https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8"
},
{
"url": "https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020"
},
{
"url": "https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d"
},
{
"url": "https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d"
},
{
"url": "https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89"
},
{
"url": "https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84"
}
],
"title": "NFSD: Fix crash in nfsd4_read_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40324",
"datePublished": "2025-12-08T00:46:51.912Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-05-23T16:02:08.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40331 (GCVE-0-2025-40331)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-06-16 19:58
VLAI
EPSS
Title
sctp: Prevent TOCTOU out-of-bounds write
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Prevent TOCTOU out-of-bounds write
For the following path not holding the sock lock,
sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8f840e47f190cbe61a96945c13e9551048d42cef , < b106a68df0650b694b254427cd9250c04500edd3
(git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 3006959371007fc2eae4a078f823c680fa52de1a (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 72e3fea68eac8d088e44c3dd954e843478e9240e (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 584307275b2048991b2e8984962189b6cc0a9b85 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 2fe08fcaacb7eb019fa9c81db39b2214de216677 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 89eac1e150dbd42963e13d23828cb8c4e0763196 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 95aef86ab231f047bb8085c70666059b58f53c09 (git) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-40331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T19:58:03.978750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T19:58:14.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b106a68df0650b694b254427cd9250c04500edd3",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "3006959371007fc2eae4a078f823c680fa52de1a",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "72e3fea68eac8d088e44c3dd954e843478e9240e",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "584307275b2048991b2e8984962189b6cc0a9b85",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "c9119f243d9c0da3c3b5f577a328de3e7ffd1b42",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "2fe08fcaacb7eb019fa9c81db39b2214de216677",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "89eac1e150dbd42963e13d23828cb8c4e0763196",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "95aef86ab231f047bb8085c70666059b58f53c09",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n sctp_diag_dump() -\u003e sctp_for_each_endpoint() -\u003e sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:18.148Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3"
},
{
"url": "https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a"
},
{
"url": "https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e"
},
{
"url": "https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85"
},
{
"url": "https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42"
},
{
"url": "https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677"
},
{
"url": "https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196"
},
{
"url": "https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09"
}
],
"title": "sctp: Prevent TOCTOU out-of-bounds write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40331",
"datePublished": "2025-12-09T04:09:48.196Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-06-16T19:58:14.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40341 (GCVE-0-2025-40341)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-05-11 21:47
VLAI
EPSS
Title
futex: Don't leak robust_list pointer on exec race
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Don't leak robust_list pointer on exec race
sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()
to check if the calling task is allowed to access another task's
robust_list pointer. This check is racy against a concurrent exec() in the
target process.
During exec(), a task may transition from a non-privileged binary to a
privileged one (e.g., setuid binary) and its credentials/memory mappings
may change. If get_robust_list() performs ptrace_may_access() before
this transition, it may erroneously allow access to sensitive information
after the target becomes privileged.
A racy access allows an attacker to exploit a window during which
ptrace_may_access() passes before a target process transitions to a
privileged state via exec().
For example, consider a non-privileged task T that is about to execute a
setuid-root binary. An attacker task A calls get_robust_list(T) while T
is still unprivileged. Since ptrace_may_access() checks permissions
based on current credentials, it succeeds. However, if T begins exec
immediately afterwards, it becomes privileged and may change its memory
mappings. Because get_robust_list() proceeds to access T->robust_list
without synchronizing with exec() it may read user-space pointers from a
now-privileged process.
This violates the intended post-exec access restrictions and could
expose sensitive memory addresses or be used as a primitive in a larger
exploit chain. Consequently, the race can lead to unauthorized
disclosure of information across privilege boundaries and poses a
potential security risk.
Take a read lock on signal->exec_update_lock prior to invoking
ptrace_may_access() and accessing the robust_list/compat_robust_list.
This ensures that the target task's exec state remains stable during the
check, allowing for consistent and synchronized validation of
credentials.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6511984d1aa1360181bcafb1ca75df7f291ef237
(git)
Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 3b4222494489f6d4b8705a496dab03384b7ca998 (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < b524455a51feb6013df3a5dba3160487b2e8e22a (git) Affected: 0771dfefc9e538f077d0b43b6dec19a5a67d0e70 , < 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 (git) |
|
| Linux | Linux |
Affected:
2.6.17
Unaffected: 0 , < 2.6.17 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/futex/syscalls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6511984d1aa1360181bcafb1ca75df7f291ef237",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "4aced32596ead1820b7dbd8e40d30b30dc1f3ad4",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "3b4222494489f6d4b8705a496dab03384b7ca998",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "b524455a51feb6013df3a5dba3160487b2e8e22a",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
},
{
"lessThan": "6b54082c3ed4dc9821cdf0edb17302355cc5bb45",
"status": "affected",
"version": "0771dfefc9e538f077d0b43b6dec19a5a67d0e70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/futex/syscalls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Don\u0027t leak robust_list pointer on exec race\n\nsys_get_robust_list() and compat_get_robust_list() use ptrace_may_access()\nto check if the calling task is allowed to access another task\u0027s\nrobust_list pointer. This check is racy against a concurrent exec() in the\ntarget process.\n\nDuring exec(), a task may transition from a non-privileged binary to a\nprivileged one (e.g., setuid binary) and its credentials/memory mappings\nmay change. If get_robust_list() performs ptrace_may_access() before\nthis transition, it may erroneously allow access to sensitive information\nafter the target becomes privileged.\n\nA racy access allows an attacker to exploit a window during which\nptrace_may_access() passes before a target process transitions to a\nprivileged state via exec().\n\nFor example, consider a non-privileged task T that is about to execute a\nsetuid-root binary. An attacker task A calls get_robust_list(T) while T\nis still unprivileged. Since ptrace_may_access() checks permissions\nbased on current credentials, it succeeds. However, if T begins exec\nimmediately afterwards, it becomes privileged and may change its memory\nmappings. Because get_robust_list() proceeds to access T-\u003erobust_list\nwithout synchronizing with exec() it may read user-space pointers from a\nnow-privileged process.\n\nThis violates the intended post-exec access restrictions and could\nexpose sensitive memory addresses or be used as a primitive in a larger\nexploit chain. Consequently, the race can lead to unauthorized\ndisclosure of information across privilege boundaries and poses a\npotential security risk.\n\nTake a read lock on signal-\u003eexec_update_lock prior to invoking\nptrace_may_access() and accessing the robust_list/compat_robust_list.\nThis ensures that the target task\u0027s exec state remains stable during the\ncheck, allowing for consistent and synchronized validation of\ncredentials."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:29.607Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237"
},
{
"url": "https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4"
},
{
"url": "https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998"
},
{
"url": "https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a"
},
{
"url": "https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45"
}
],
"title": "futex: Don\u0027t leak robust_list pointer on exec race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40341",
"datePublished": "2025-12-09T04:09:58.392Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-05-11T21:47:29.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40342 (GCVE-0-2025-40342)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-05-11 21:47
VLAI
EPSS
Title
nvme-fc: use lock accessing port_state and rport state
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: use lock accessing port_state and rport state
nvme_fc_unregister_remote removes the remote port on a lport object at
any point in time when there is no active association. This races with
with the reconnect logic, because nvme_fc_create_association is not
taking a lock to check the port_state and atomically increase the
active count on the rport.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e399441de9115cd472b8ace6c517708273ca7997 , < de3d91af47bc015031e7721b100a29989f6498a5
(git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < e8cde03de8674b05f2c5e0870729049eba517800 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 4253e0a4546138a2bf9cb6acf66b32fee677fc7c (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 25f4bf1f7979a7871974fd36c79d69ff1cf4b446 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 9950af4303942081dc8c7a5fdc3688c17c7eb6c0 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < a2f7fa75c4a2a07328fa22ccbef461db76790b55 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 891cdbb162ccdb079cd5228ae43bdeebce8597ad (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.58 , ≤ 6.12.* (semver) Unaffected: 6.17.8 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de3d91af47bc015031e7721b100a29989f6498a5",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "e8cde03de8674b05f2c5e0870729049eba517800",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "4253e0a4546138a2bf9cb6acf66b32fee677fc7c",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "25f4bf1f7979a7871974fd36c79d69ff1cf4b446",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "9950af4303942081dc8c7a5fdc3688c17c7eb6c0",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "a2f7fa75c4a2a07328fa22ccbef461db76790b55",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "891cdbb162ccdb079cd5228ae43bdeebce8597ad",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:47:30.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5"
},
{
"url": "https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800"
},
{
"url": "https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c"
},
{
"url": "https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446"
},
{
"url": "https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0"
},
{
"url": "https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55"
},
{
"url": "https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad"
}
],
"title": "nvme-fc: use lock accessing port_state and rport state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40342",
"datePublished": "2025-12-09T04:09:59.673Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-05-11T21:47:30.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…