Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0057
Vulnerability from certfr_avis - Published: 2026-01-16 - Updated: 2026-01-16
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Debian LTS. Elles permettent à un attaquant de provoquer une élévation de privilèges, une atteinte à la confidentialité des données et un déni de service.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Debian LTS bullseye versions ant\u00e9rieures \u00e0 6.1.159-1~deb11u1",
"product": {
"name": "Debian",
"vendor": {
"name": "Debian",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-40273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40273"
},
{
"name": "CVE-2025-68286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68286"
},
{
"name": "CVE-2025-40314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40314"
},
{
"name": "CVE-2025-40306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40306"
},
{
"name": "CVE-2025-40254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40254"
},
{
"name": "CVE-2025-68200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68200"
},
{
"name": "CVE-2025-68176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68176"
},
{
"name": "CVE-2025-68204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68204"
},
{
"name": "CVE-2025-68283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68283"
},
{
"name": "CVE-2025-68246",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68246"
},
{
"name": "CVE-2025-68339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68339"
},
{
"name": "CVE-2025-68295",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68295"
},
{
"name": "CVE-2025-40285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40285"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40294"
},
{
"name": "CVE-2025-40312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40312"
},
{
"name": "CVE-2025-68220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68220"
},
{
"name": "CVE-2025-68302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68302"
},
{
"name": "CVE-2025-68238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68238"
},
{
"name": "CVE-2025-40309",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40309"
},
{
"name": "CVE-2025-40343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40343"
},
{
"name": "CVE-2025-68173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68173"
},
{
"name": "CVE-2025-68307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68307"
},
{
"name": "CVE-2025-40308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40308"
},
{
"name": "CVE-2025-40315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40315"
},
{
"name": "CVE-2025-68231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68231"
},
{
"name": "CVE-2025-68310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68310"
},
{
"name": "CVE-2025-68229",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68229"
},
{
"name": "CVE-2025-68321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68321"
},
{
"name": "CVE-2025-40360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40360"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-40313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40313"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2025-68308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68308"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-68218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68218"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-40272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40272"
},
{
"name": "CVE-2025-40345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40345"
},
{
"name": "CVE-2025-38057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38057"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-68330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68330"
},
{
"name": "CVE-2025-68343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68343"
},
{
"name": "CVE-2025-37899",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37899"
},
{
"name": "CVE-2025-40292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40292"
},
{
"name": "CVE-2025-68237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68237"
},
{
"name": "CVE-2025-40257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40257"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2025-68284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68284"
},
{
"name": "CVE-2025-68194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68194"
},
{
"name": "CVE-2025-39805",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39805"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2025-68244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68244"
},
{
"name": "CVE-2024-47666",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47666"
},
{
"name": "CVE-2025-40278",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40278"
},
{
"name": "CVE-2025-40342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40342"
},
{
"name": "CVE-2025-40279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40279"
},
{
"name": "CVE-2025-68328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68328"
},
{
"name": "CVE-2025-40341",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40341"
},
{
"name": "CVE-2025-38593",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38593"
},
{
"name": "CVE-2025-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40283"
},
{
"name": "CVE-2025-40324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40324"
},
{
"name": "CVE-2025-40264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40264"
},
{
"name": "CVE-2025-40321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40321"
},
{
"name": "CVE-2025-40282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40282"
},
{
"name": "CVE-2025-68192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68192"
},
{
"name": "CVE-2025-40214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40214"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-68171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68171"
},
{
"name": "CVE-2025-38678",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38678"
},
{
"name": "CVE-2025-40301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40301"
},
{
"name": "CVE-2025-40286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40286"
},
{
"name": "CVE-2025-68327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68327"
},
{
"name": "CVE-2025-40318",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40318"
},
{
"name": "CVE-2025-68241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68241"
},
{
"name": "CVE-2025-68734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68734"
},
{
"name": "CVE-2025-68288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68288"
},
{
"name": "CVE-2025-40083",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40083"
},
{
"name": "CVE-2025-40331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40331"
},
{
"name": "CVE-2025-68290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68290"
},
{
"name": "CVE-2025-40280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40280"
},
{
"name": "CVE-2025-40293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40293"
},
{
"name": "CVE-2025-68331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68331"
},
{
"name": "CVE-2025-68214",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68214"
},
{
"name": "CVE-2025-40284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40284"
},
{
"name": "CVE-2025-40211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40211"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2025-68303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68303"
},
{
"name": "CVE-2025-40259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40259"
},
{
"name": "CVE-2025-68168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68168"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2025-40297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40297"
},
{
"name": "CVE-2025-68217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68217"
},
{
"name": "CVE-2025-68289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68289"
},
{
"name": "CVE-2025-40363",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40363"
},
{
"name": "CVE-2025-40253",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40253"
},
{
"name": "CVE-2025-68245",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68245"
},
{
"name": "CVE-2025-40317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40317"
},
{
"name": "CVE-2025-68233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68233"
},
{
"name": "CVE-2025-68282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68282"
},
{
"name": "CVE-2025-68177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68177"
},
{
"name": "CVE-2025-68191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68191"
},
{
"name": "CVE-2025-40288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40288"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2025-40281",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40281"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2025-40304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40304"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2025-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40261"
},
{
"name": "CVE-2025-40323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40323"
},
{
"name": "CVE-2025-68285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68285"
},
{
"name": "CVE-2025-40275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40275"
},
{
"name": "CVE-2025-68227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68227"
},
{
"name": "CVE-2025-40319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40319"
}
],
"initial_release_date": "2026-01-16T00:00:00",
"last_revision_date": "2026-01-16T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0057",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-16T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Debian LTS. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et un d\u00e9ni de service.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Debian LTS",
"vendor_advisories": [
{
"published_at": "2026-01-14",
"title": "Bulletin de s\u00e9curit\u00e9 Debian LTS DLA-4436-1",
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00007.html"
}
]
}
CVE-2025-68229 (GCVE-0-2025-68229)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-06-16 16:20
VLAI
EPSS
Title
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we
attempt to dereference it in tcm_loop_tpg_address_show() we will get a
segfault, see below for an example. So, check tl_hba->sh before
dereferencing it.
Unable to allocate struct scsi_host
BUG: kernel NULL pointer dereference, address: 0000000000000194
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024
RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]
...
Call Trace:
<TASK>
configfs_read_iter+0x12d/0x1d0 [configfs]
vfs_read+0x1b5/0x300
ksys_read+0x6f/0xf0
...
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2628b352c3d4905adf8129ea50900bd980b6ccef , < 63f511d3855f7f4b35dd63dbc58fc3d935a81268
(git)
Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 3d8c517f6eb27e47b1a198e05f8023038329b40b (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < f449a1edd7a13bb025aaf9342ea6f8bf92684bbf (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 1c9ba455b5073253ceaadae4859546e38e8261fe (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < a6ef60898ddaf1414592ce3e5b0d94276d631663 (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 72e8831079266749a7023618a0de2f289a9dced6 (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < 13aff3b8a7184281b134698704d6c06863a8361b (git) Affected: 2628b352c3d4905adf8129ea50900bd980b6ccef , < e6965188f84a7883e6a0d3448e86b0cf29b24dfc (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.118 , ≤ 6.6.* (semver) Unaffected: 6.12.60 , ≤ 6.12.* (semver) Unaffected: 6.17.10 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:20:41.324654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:20:56.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63f511d3855f7f4b35dd63dbc58fc3d935a81268",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "3d8c517f6eb27e47b1a198e05f8023038329b40b",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "f449a1edd7a13bb025aaf9342ea6f8bf92684bbf",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "1c9ba455b5073253ceaadae4859546e38e8261fe",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "a6ef60898ddaf1414592ce3e5b0d94276d631663",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "72e8831079266749a7023618a0de2f289a9dced6",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "13aff3b8a7184281b134698704d6c06863a8361b",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
},
{
"lessThan": "e6965188f84a7883e6a0d3448e86b0cf29b24dfc",
"status": "affected",
"version": "2628b352c3d4905adf8129ea50900bd980b6ccef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/loopback/tcm_loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()\n\nIf the allocation of tl_hba-\u003esh fails in tcm_loop_driver_probe() and we\nattempt to dereference it in tcm_loop_tpg_address_show() we will get a\nsegfault, see below for an example. So, check tl_hba-\u003esh before\ndereferencing it.\n\n Unable to allocate struct scsi_host\n BUG: kernel NULL pointer dereference, address: 0000000000000194\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1\n Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024\n RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop]\n...\n Call Trace:\n \u003cTASK\u003e\n configfs_read_iter+0x12d/0x1d0 [configfs]\n vfs_read+0x1b5/0x300\n ksys_read+0x6f/0xf0\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:19.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63f511d3855f7f4b35dd63dbc58fc3d935a81268"
},
{
"url": "https://git.kernel.org/stable/c/3d8c517f6eb27e47b1a198e05f8023038329b40b"
},
{
"url": "https://git.kernel.org/stable/c/f449a1edd7a13bb025aaf9342ea6f8bf92684bbf"
},
{
"url": "https://git.kernel.org/stable/c/1c9ba455b5073253ceaadae4859546e38e8261fe"
},
{
"url": "https://git.kernel.org/stable/c/a6ef60898ddaf1414592ce3e5b0d94276d631663"
},
{
"url": "https://git.kernel.org/stable/c/72e8831079266749a7023618a0de2f289a9dced6"
},
{
"url": "https://git.kernel.org/stable/c/13aff3b8a7184281b134698704d6c06863a8361b"
},
{
"url": "https://git.kernel.org/stable/c/e6965188f84a7883e6a0d3448e86b0cf29b24dfc"
}
],
"title": "scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68229",
"datePublished": "2025-12-16T13:57:21.835Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-06-16T16:20:56.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68231 (GCVE-0-2025-68231)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-05-11 21:49
VLAI
EPSS
Title
mm/mempool: fix poisoning order>0 pages with HIGHMEM
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/mempool: fix poisoning order>0 pages with HIGHMEM
The kernel test has reported:
BUG: unable to handle page fault for address: fffba000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
*pde = 03171067 *pte = 00000000
Oops: Oops: 0002 [#1]
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
Tainted: [T]=RANDSTRUCT
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
Call Trace:
poison_element (mm/mempool.c:83 mm/mempool.c:102)
mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
? mempool_alloc_pages (mm/mempool.c:640)
bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
? mempool_alloc_pages (mm/mempool.c:640)
do_one_initcall (init/main.c:1283)
Christoph found out this is due to the poisoning code not dealing
properly with CONFIG_HIGHMEM because only the first page is mapped but
then the whole potentially high-order page is accessed.
We could give up on HIGHMEM here, but it's straightforward to fix this
with a loop that's mapping, poisoning or checking and unmapping
individual pages.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < ea4131665107e66ece90e66bcec1a2f1246cbd41
(git)
Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < 19de79aaea33ee1ea058c8711b3b2b4a7e4decd4 (git) Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < 6a13b56537e7b0d97f4bb74e8038ce471f9770d7 (git) Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < a79e49e1704367b635edad1479db23d7cf1fb71a (git) Affected: bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6 , < ec33b59542d96830e3c89845ff833cf7b25ef172 (git) |
|
| Linux | Linux |
Affected:
4.1
Unaffected: 0 , < 4.1 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.118 , ≤ 6.6.* (semver) Unaffected: 6.12.60 , ≤ 6.12.* (semver) Unaffected: 6.17.10 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/mempool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea4131665107e66ece90e66bcec1a2f1246cbd41",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "19de79aaea33ee1ea058c8711b3b2b4a7e4decd4",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "6a13b56537e7b0d97f4bb74e8038ce471f9770d7",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "a79e49e1704367b635edad1479db23d7cf1fb71a",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
},
{
"lessThan": "ec33b59542d96830e3c89845ff833cf7b25ef172",
"status": "affected",
"version": "bdfedb76f4f5aa5e37380e3b71adee4a39f30fc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/mempool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempool: fix poisoning order\u003e0 pages with HIGHMEM\n\nThe kernel test has reported:\n\n BUG: unable to handle page fault for address: fffba000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n *pde = 03171067 *pte = 00000000\n Oops: Oops: 0002 [#1]\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca\n Tainted: [T]=RANDSTRUCT\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)\n Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 \u003cf3\u003e aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56\n EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b\n ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8\n DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287\n CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690\n Call Trace:\n poison_element (mm/mempool.c:83 mm/mempool.c:102)\n mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)\n mempool_init_noprof (mm/mempool.c:250 (discriminator 1))\n ? mempool_alloc_pages (mm/mempool.c:640)\n bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))\n ? mempool_alloc_pages (mm/mempool.c:640)\n do_one_initcall (init/main.c:1283)\n\nChristoph found out this is due to the poisoning code not dealing\nproperly with CONFIG_HIGHMEM because only the first page is mapped but\nthen the whole potentially high-order page is accessed.\n\nWe could give up on HIGHMEM here, but it\u0027s straightforward to fix this\nwith a loop that\u0027s mapping, poisoning or checking and unmapping\nindividual pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:21.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea4131665107e66ece90e66bcec1a2f1246cbd41"
},
{
"url": "https://git.kernel.org/stable/c/19de79aaea33ee1ea058c8711b3b2b4a7e4decd4"
},
{
"url": "https://git.kernel.org/stable/c/6a13b56537e7b0d97f4bb74e8038ce471f9770d7"
},
{
"url": "https://git.kernel.org/stable/c/a79e49e1704367b635edad1479db23d7cf1fb71a"
},
{
"url": "https://git.kernel.org/stable/c/ec33b59542d96830e3c89845ff833cf7b25ef172"
}
],
"title": "mm/mempool: fix poisoning order\u003e0 pages with HIGHMEM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68231",
"datePublished": "2025-12-16T13:57:23.712Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-05-11T21:49:21.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68233 (GCVE-0-2025-68233)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:04 – Updated: 2026-05-11 21:49
VLAI
EPSS
Title
drm/tegra: Add call to put_pid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: Add call to put_pid()
Add a call to put_pid() corresponding to get_task_pid().
host1x_memory_context_alloc() does not take ownership of the PID so we
need to free it here to avoid leaking.
[mperttunen@nvidia.com: reword commit message]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e09db97889ec647ad373f7a7422c83099c6120c5 , < 6b572e5154af08ee13f8d2673e86f83bc5ff86cd
(git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 2e78580e6e7deac6556236ef96db5bbf7b46857e (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5 (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 27ea5c2c75c3419a9a019240ca44b9256f628df1 (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.118 , ≤ 6.6.* (semver) Unaffected: 6.12.60 , ≤ 6.12.* (semver) Unaffected: 6.17.10 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/uapi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b572e5154af08ee13f8d2673e86f83bc5ff86cd",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "2e78580e6e7deac6556236ef96db5bbf7b46857e",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "27ea5c2c75c3419a9a019240ca44b9256f628df1",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/uapi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Add call to put_pid()\n\nAdd a call to put_pid() corresponding to get_task_pid().\nhost1x_memory_context_alloc() does not take ownership of the PID so we\nneed to free it here to avoid leaking.\n\n[mperttunen@nvidia.com: reword commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:24.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b572e5154af08ee13f8d2673e86f83bc5ff86cd"
},
{
"url": "https://git.kernel.org/stable/c/2e78580e6e7deac6556236ef96db5bbf7b46857e"
},
{
"url": "https://git.kernel.org/stable/c/cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5"
},
{
"url": "https://git.kernel.org/stable/c/27ea5c2c75c3419a9a019240ca44b9256f628df1"
},
{
"url": "https://git.kernel.org/stable/c/6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a"
}
],
"title": "drm/tegra: Add call to put_pid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68233",
"datePublished": "2025-12-16T14:04:13.490Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-05-11T21:49:24.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68237 (GCVE-0-2025-68237)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2026-05-11 21:49
VLAI
EPSS
Title
mtdchar: fix integer overflow in read/write ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtdchar: fix integer overflow in read/write ioctls
The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function. We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.
Use check_add_overflow() to fix this bug.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < f37efdd97fd1ec3e0d0f1eec279c8279e28f981e
(git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 457376c6fbf0c69326a9bf1f72416225f681192b (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < eb9361484814fb12f3b7544b33835ea67d7a6a97 (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 37944f4f8199cd153fef74e95ca268020162f212 (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < e4185bed738da755b191aa3f2e16e8b48450e1b8 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.118 , ≤ 6.6.* (semver) Unaffected: 6.12.60 , ≤ 6.12.* (semver) Unaffected: 6.17.10 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdchar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f37efdd97fd1ec3e0d0f1eec279c8279e28f981e",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "457376c6fbf0c69326a9bf1f72416225f681192b",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "eb9361484814fb12f3b7544b33835ea67d7a6a97",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "37944f4f8199cd153fef74e95ca268020162f212",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "e4185bed738da755b191aa3f2e16e8b48450e1b8",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdchar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function. We mask away the high 32 bits of\n\"req.len\" so that\u0027s capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:29.135Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e"
},
{
"url": "https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b"
},
{
"url": "https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97"
},
{
"url": "https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212"
},
{
"url": "https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8"
}
],
"title": "mtdchar: fix integer overflow in read/write ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68237",
"datePublished": "2025-12-16T14:08:30.940Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-05-11T21:49:29.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68238 (GCVE-0-2025-68238)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2026-05-23 16:02
VLAI
EPSS
Title
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
The DMA device pointer `dma_dev` was being dereferenced before ensuring
that `cdns_ctrl->dmac` is properly initialized.
Move the assignment of `dma_dev` after successfully acquiring the DMA
channel to ensure the pointer is valid before use.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cae7c285f4771a9927ef592899234d307aea5d4 , < 2178b0255eae108bb10e5e99658b28641bc06f43
(git)
Affected: 099a316518508be7c57de4134ef919b2dea948ce , < 9c58c64ec41290c12490ca7e1df45013fbbb41fd (git) Affected: e630d32162a8aab92d4aaebae0a8d93039257593 , < e282a4fdf3c6ee842a720010a8b5f7d77bedd126 (git) Affected: ad9393467fbd788ac2b8a01e492e45ab1b68a1b1 , < b146e0b085d9d6bfe838e0a15481cba7d093c67f (git) Affected: 0ce5416863965ddd86e066484a306867cf1e01a8 , < 0c635241a62f2f5da1b48bfffae226d1f86a76ef (git) Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 0c2a43cb43786011b48eeab6093db14888258c6b (git) Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 5c56bf214af85ca042bf97f8584aab2151035840 (git) Affected: a33c7492dcdf804b705b6c21018a481414d48038 (git) Affected: 5.10.235 , < 5.10.247 (semver) Affected: 5.15.179 , < 5.15.197 (semver) Affected: 6.1.130 , < 6.1.159 (semver) Affected: 6.6.80 , < 6.6.118 (semver) Affected: 6.12.17 , < 6.12.60 (semver) Affected: 6.13.5 , < 6.14 (semver) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.118 , ≤ 6.6.* (semver) Unaffected: 6.12.60 , ≤ 6.12.* (semver) Unaffected: 6.17.10 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2178b0255eae108bb10e5e99658b28641bc06f43",
"status": "affected",
"version": "0cae7c285f4771a9927ef592899234d307aea5d4",
"versionType": "git"
},
{
"lessThan": "9c58c64ec41290c12490ca7e1df45013fbbb41fd",
"status": "affected",
"version": "099a316518508be7c57de4134ef919b2dea948ce",
"versionType": "git"
},
{
"lessThan": "e282a4fdf3c6ee842a720010a8b5f7d77bedd126",
"status": "affected",
"version": "e630d32162a8aab92d4aaebae0a8d93039257593",
"versionType": "git"
},
{
"lessThan": "b146e0b085d9d6bfe838e0a15481cba7d093c67f",
"status": "affected",
"version": "ad9393467fbd788ac2b8a01e492e45ab1b68a1b1",
"versionType": "git"
},
{
"lessThan": "0c635241a62f2f5da1b48bfffae226d1f86a76ef",
"status": "affected",
"version": "0ce5416863965ddd86e066484a306867cf1e01a8",
"versionType": "git"
},
{
"lessThan": "0c2a43cb43786011b48eeab6093db14888258c6b",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"lessThan": "5c56bf214af85ca042bf97f8584aab2151035840",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"status": "affected",
"version": "a33c7492dcdf804b705b6c21018a481414d48038",
"versionType": "git"
},
{
"lessThan": "5.10.247",
"status": "affected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThan": "5.15.197",
"status": "affected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThan": "6.1.159",
"status": "affected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThan": "6.6.118",
"status": "affected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThan": "6.12.60",
"status": "affected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThan": "6.14",
"status": "affected",
"version": "6.13.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.6.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix DMA device NULL pointer dereference\n\nThe DMA device pointer `dma_dev` was being dereferenced before ensuring\nthat `cdns_ctrl-\u003edmac` is properly initialized.\n\nMove the assignment of `dma_dev` after successfully acquiring the DMA\nchannel to ensure the pointer is valid before use."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:26.527Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43"
},
{
"url": "https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd"
},
{
"url": "https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126"
},
{
"url": "https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f"
},
{
"url": "https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef"
},
{
"url": "https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b"
},
{
"url": "https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840"
}
],
"title": "mtd: rawnand: cadence: fix DMA device NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68238",
"datePublished": "2025-12-16T14:08:31.672Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2026-05-23T16:02:26.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68241 (GCVE-0-2025-68241)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2026-06-16 16:24
VLAI
EPSS
Title
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
The sit driver's packet transmission path calls: sit_tunnel_xmit() ->
update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called
to delete entries exceeding FNHE_RECLAIM_DEPTH+random.
The race window is between fnhe_remove_oldest() selecting fnheX for
deletion and the subsequent kfree_rcu(). During this time, the
concurrent path's __mkroute_output() -> find_exception() can fetch the
soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a
new dst using a dst_hold(). When the original fnheX is freed via RCU,
the dst reference remains permanently leaked.
CPU 0 CPU 1
__mkroute_output()
find_exception() [fnheX]
update_or_create_fnhe()
fnhe_remove_oldest() [fnheX]
rt_bind_exception() [bind dst]
RCU callback [fnheX freed, dst leak]
This issue manifests as a device reference count leak and a warning in
dmesg when unregistering the net device:
unregister_netdevice: waiting for sitX to become free. Usage count = N
Ido Schimmel provided the simple test validation method [1].
The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes().
Since rt_bind_exception() checks this field, setting it to zero prevents
the stale fnhe from being reused and bound to a new dst just before it
is freed.
[1]
ip netns add ns1
ip -n ns1 link set dev lo up
ip -n ns1 address add 192.0.2.1/32 dev lo
ip -n ns1 link add name dummy1 up type dummy
ip -n ns1 route add 192.0.2.2/32 dev dummy1
ip -n ns1 link add name gretap1 up arp off type gretap \
local 192.0.2.1 remote 192.0.2.2
ip -n ns1 route add 198.51.0.0/16 dev gretap1
taskset -c 0 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
taskset -c 2 ip netns exec ns1 mausezahn gretap1 \
-A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q &
sleep 10
ip netns pids ns1 | xargs kill
ip netns del ns1
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e46e23c289f62ccd8e2230d9ce652072d777ff30 , < 69d35c12168f9c59b159ae566f77dfad9f96d7ca
(git)
Affected: 5867e20e1808acd0c832ddea2587e5ee49813874 , < 4b7210da22429765d19460d38c30eeca72656282 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < 298f1e0694ab4edb6092d66efed93c4554e6ced1 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < 041ab9ca6e80d8f792bb69df28ebf1ef39c06af8 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < b84f083f50ecc736a95091691339a1b363962f0e (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < 0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0 (git) Affected: 67d6d681e15b578c1725bad8ad079e05d1c48a8e , < ac1499fcd40fe06479e9b933347b837ccabc2a40 (git) Affected: bed8941fbdb72a61f6348c4deb0db69c4de87aca (git) Affected: f10ce783bcc4d8ea454563a7d56ae781640e7dcb (git) Affected: f484595be6b7ef9d095a32becabb5dae8204fb2a (git) Affected: 3e6bd2b583f18da9856fc9741ffa200a74a52cba (git) Affected: 5ae06218331f39ec45b5d039aa7cb3ddd4bb8008 (git) Affected: 4589a12dcf80af31137ef202be1ff4a321707a73 (git) Affected: 5.4.146 , < 5.4.302 (semver) Affected: 5.10.65 , < 5.10.247 (semver) Affected: 4.4.284 , < 4.5 (semver) Affected: 4.9.283 , < 4.10 (semver) Affected: 4.14.247 , < 4.15 (semver) Affected: 4.19.207 , < 4.20 (semver) Affected: 5.13.17 , < 5.14 (semver) Affected: 5.14.4 , < 5.15 (semver) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T16:24:01.270292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T16:24:13.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69d35c12168f9c59b159ae566f77dfad9f96d7ca",
"status": "affected",
"version": "e46e23c289f62ccd8e2230d9ce652072d777ff30",
"versionType": "git"
},
{
"lessThan": "4b7210da22429765d19460d38c30eeca72656282",
"status": "affected",
"version": "5867e20e1808acd0c832ddea2587e5ee49813874",
"versionType": "git"
},
{
"lessThan": "298f1e0694ab4edb6092d66efed93c4554e6ced1",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "041ab9ca6e80d8f792bb69df28ebf1ef39c06af8",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "b84f083f50ecc736a95091691339a1b363962f0e",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"lessThan": "ac1499fcd40fe06479e9b933347b837ccabc2a40",
"status": "affected",
"version": "67d6d681e15b578c1725bad8ad079e05d1c48a8e",
"versionType": "git"
},
{
"status": "affected",
"version": "bed8941fbdb72a61f6348c4deb0db69c4de87aca",
"versionType": "git"
},
{
"status": "affected",
"version": "f10ce783bcc4d8ea454563a7d56ae781640e7dcb",
"versionType": "git"
},
{
"status": "affected",
"version": "f484595be6b7ef9d095a32becabb5dae8204fb2a",
"versionType": "git"
},
{
"status": "affected",
"version": "3e6bd2b583f18da9856fc9741ffa200a74a52cba",
"versionType": "git"
},
{
"status": "affected",
"version": "5ae06218331f39ec45b5d039aa7cb3ddd4bb8008",
"versionType": "git"
},
{
"status": "affected",
"version": "4589a12dcf80af31137ef202be1ff4a321707a73",
"versionType": "git"
},
{
"lessThan": "5.4.302",
"status": "affected",
"version": "5.4.146",
"versionType": "semver"
},
{
"lessThan": "5.10.247",
"status": "affected",
"version": "5.10.65",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.284",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.283",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.247",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.207",
"versionType": "semver"
},
{
"lessThan": "5.14",
"status": "affected",
"version": "5.13.17",
"versionType": "semver"
},
{
"lessThan": "5.15",
"status": "affected",
"version": "5.14.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe\n\nThe sit driver\u0027s packet transmission path calls: sit_tunnel_xmit() -\u003e\nupdate_or_create_fnhe(), which lead to fnhe_remove_oldest() being called\nto delete entries exceeding FNHE_RECLAIM_DEPTH+random.\n\nThe race window is between fnhe_remove_oldest() selecting fnheX for\ndeletion and the subsequent kfree_rcu(). During this time, the\nconcurrent path\u0027s __mkroute_output() -\u003e find_exception() can fetch the\nsoon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a\nnew dst using a dst_hold(). When the original fnheX is freed via RCU,\nthe dst reference remains permanently leaked.\n\nCPU 0 CPU 1\n__mkroute_output()\n find_exception() [fnheX]\n update_or_create_fnhe()\n fnhe_remove_oldest() [fnheX]\n rt_bind_exception() [bind dst]\n RCU callback [fnheX freed, dst leak]\n\nThis issue manifests as a device reference count leak and a warning in\ndmesg when unregistering the net device:\n\n unregister_netdevice: waiting for sitX to become free. Usage count = N\n\nIdo Schimmel provided the simple test validation method [1].\n\nThe fix clears \u0027oldest-\u003efnhe_daddr\u0027 before calling fnhe_flush_routes().\nSince rt_bind_exception() checks this field, setting it to zero prevents\nthe stale fnhe from being reused and bound to a new dst just before it\nis freed.\n\n[1]\nip netns add ns1\nip -n ns1 link set dev lo up\nip -n ns1 address add 192.0.2.1/32 dev lo\nip -n ns1 link add name dummy1 up type dummy\nip -n ns1 route add 192.0.2.2/32 dev dummy1\nip -n ns1 link add name gretap1 up arp off type gretap \\\n local 192.0.2.1 remote 192.0.2.2\nip -n ns1 route add 198.51.0.0/16 dev gretap1\ntaskset -c 0 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\ntaskset -c 2 ip netns exec ns1 mausezahn gretap1 \\\n -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q \u0026\nsleep 10\nip netns pids ns1 | xargs kill\nip netns del ns1"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:02:28.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca"
},
{
"url": "https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282"
},
{
"url": "https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1"
},
{
"url": "https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94"
},
{
"url": "https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8"
},
{
"url": "https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e"
},
{
"url": "https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0"
},
{
"url": "https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40"
}
],
"title": "ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68241",
"datePublished": "2025-12-16T14:21:18.682Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2026-06-16T16:24:13.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68244 (GCVE-0-2025-68244)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2026-05-11 21:49
VLAI
EPSS
Title
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
On completion of i915_vma_pin_ww(), a synchronous variant of
dma_fence_work_commit() is called. When pinning a VMA to GGTT address
space on a Cherry View family processor, or on a Broxton generation SoC
with VTD enabled, i.e., when stop_machine() is then called from
intel_ggtt_bind_vma(), that can potentially lead to lock inversion among
reservation_ww and cpu_hotplug locks.
[86.861179] ======================================================
[86.861193] WARNING: possible circular locking dependency detected
[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U
[86.861226] ------------------------------------------------------
[86.861238] i915_module_loa/1432 is trying to acquire lock:
[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50
[86.861290]
but task is already holding lock:
[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]
[86.862233]
which lock already depends on the new lock.
[86.862251]
the existing dependency chain (in reverse order) is:
[86.862265]
-> #5 (reservation_ww_class_mutex){+.+.}-{3:3}:
[86.862292] dma_resv_lockdep+0x19a/0x390
[86.862315] do_one_initcall+0x60/0x3f0
[86.862334] kernel_init_freeable+0x3cd/0x680
[86.862353] kernel_init+0x1b/0x200
[86.862369] ret_from_fork+0x47/0x70
[86.862383] ret_from_fork_asm+0x1a/0x30
[86.862399]
-> #4 (reservation_ww_class_acquire){+.+.}-{0:0}:
[86.862425] dma_resv_lockdep+0x178/0x390
[86.862440] do_one_initcall+0x60/0x3f0
[86.862454] kernel_init_freeable+0x3cd/0x680
[86.862470] kernel_init+0x1b/0x200
[86.862482] ret_from_fork+0x47/0x70
[86.862495] ret_from_fork_asm+0x1a/0x30
[86.862509]
-> #3 (&mm->mmap_lock){++++}-{3:3}:
[86.862531] down_read_killable+0x46/0x1e0
[86.862546] lock_mm_and_find_vma+0xa2/0x280
[86.862561] do_user_addr_fault+0x266/0x8e0
[86.862578] exc_page_fault+0x8a/0x2f0
[86.862593] asm_exc_page_fault+0x27/0x30
[86.862607] filldir64+0xeb/0x180
[86.862620] kernfs_fop_readdir+0x118/0x480
[86.862635] iterate_dir+0xcf/0x2b0
[86.862648] __x64_sys_getdents64+0x84/0x140
[86.862661] x64_sys_call+0x1058/0x2660
[86.862675] do_syscall_64+0x91/0xe90
[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[86.862703]
-> #2 (&root->kernfs_rwsem){++++}-{3:3}:
[86.862725] down_write+0x3e/0xf0
[86.862738] kernfs_add_one+0x30/0x3c0
[86.862751] kernfs_create_dir_ns+0x53/0xb0
[86.862765] internal_create_group+0x134/0x4c0
[86.862779] sysfs_create_group+0x13/0x20
[86.862792] topology_add_dev+0x1d/0x30
[86.862806] cpuhp_invoke_callback+0x4b5/0x850
[86.862822] cpuhp_issue_call+0xbf/0x1f0
[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320
[86.862852] __cpuhp_setup_state+0xb0/0x220
[86.862866] topology_sysfs_init+0x30/0x50
[86.862879] do_one_initcall+0x60/0x3f0
[86.862893] kernel_init_freeable+0x3cd/0x680
[86.862908] kernel_init+0x1b/0x200
[86.862921] ret_from_fork+0x47/0x70
[86.862934] ret_from_fork_asm+0x1a/0x30
[86.862947]
-> #1 (cpuhp_state_mutex){+.+.}-{3:3}:
[86.862969] __mutex_lock+0xaa/0xed0
[86.862982] mutex_lock_nested+0x1b/0x30
[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320
[86.863012] __cpuhp_setup_state+0xb0/0x220
[86.863026] page_alloc_init_cpuhp+0x2d/0x60
[86.863041] mm_core_init+0x22/0x2d0
[86.863054] start_kernel+0x576/0xbd0
[86.863068] x86_64_start_reservations+0x18/0x30
[86.863084] x86_64_start_kernel+0xbf/0x110
[86.863098] common_startup_64+0x13e/0x141
[86.863114]
-> #0 (cpu_hotplug_lock){++++}-{0:0}:
[86.863135] __lock_acquire+0x16
---truncated---
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7d1c2618eac590d948eb33b9807d913ddb6e105f , < e988634d7aae7214818b9c86cd7ef9e78c84b02d
(git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 20d94a6117b752fd10a78cefdc1cf2c16706048b (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 3dec22bde207a36f1b8a4b80564cbbe13996a7cd (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 4e73066e3323add260e46eb51f79383d87950281 (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 858a50127be714f55c3bcb25621028d4a323d77e (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b (git) |
|
| Linux | Linux |
Affected:
5.13
Unaffected: 0 , < 5.13 (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e988634d7aae7214818b9c86cd7ef9e78c84b02d",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "20d94a6117b752fd10a78cefdc1cf2c16706048b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "3dec22bde207a36f1b8a4b80564cbbe13996a7cd",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "4e73066e3323add260e46eb51f79383d87950281",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "858a50127be714f55c3bcb25621028d4a323d77e",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called. When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-\u003e #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292] dma_resv_lockdep+0x19a/0x390\n[86.862315] do_one_initcall+0x60/0x3f0\n[86.862334] kernel_init_freeable+0x3cd/0x680\n[86.862353] kernel_init+0x1b/0x200\n[86.862369] ret_from_fork+0x47/0x70\n[86.862383] ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-\u003e #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425] dma_resv_lockdep+0x178/0x390\n[86.862440] do_one_initcall+0x60/0x3f0\n[86.862454] kernel_init_freeable+0x3cd/0x680\n[86.862470] kernel_init+0x1b/0x200\n[86.862482] ret_from_fork+0x47/0x70\n[86.862495] ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-\u003e #3 (\u0026mm-\u003emmap_lock){++++}-{3:3}:\n[86.862531] down_read_killable+0x46/0x1e0\n[86.862546] lock_mm_and_find_vma+0xa2/0x280\n[86.862561] do_user_addr_fault+0x266/0x8e0\n[86.862578] exc_page_fault+0x8a/0x2f0\n[86.862593] asm_exc_page_fault+0x27/0x30\n[86.862607] filldir64+0xeb/0x180\n[86.862620] kernfs_fop_readdir+0x118/0x480\n[86.862635] iterate_dir+0xcf/0x2b0\n[86.862648] __x64_sys_getdents64+0x84/0x140\n[86.862661] x64_sys_call+0x1058/0x2660\n[86.862675] do_syscall_64+0x91/0xe90\n[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-\u003e #2 (\u0026root-\u003ekernfs_rwsem){++++}-{3:3}:\n[86.862725] down_write+0x3e/0xf0\n[86.862738] kernfs_add_one+0x30/0x3c0\n[86.862751] kernfs_create_dir_ns+0x53/0xb0\n[86.862765] internal_create_group+0x134/0x4c0\n[86.862779] sysfs_create_group+0x13/0x20\n[86.862792] topology_add_dev+0x1d/0x30\n[86.862806] cpuhp_invoke_callback+0x4b5/0x850\n[86.862822] cpuhp_issue_call+0xbf/0x1f0\n[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852] __cpuhp_setup_state+0xb0/0x220\n[86.862866] topology_sysfs_init+0x30/0x50\n[86.862879] do_one_initcall+0x60/0x3f0\n[86.862893] kernel_init_freeable+0x3cd/0x680\n[86.862908] kernel_init+0x1b/0x200\n[86.862921] ret_from_fork+0x47/0x70\n[86.862934] ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-\u003e #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969] __mutex_lock+0xaa/0xed0\n[86.862982] mutex_lock_nested+0x1b/0x30\n[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012] __cpuhp_setup_state+0xb0/0x220\n[86.863026] page_alloc_init_cpuhp+0x2d/0x60\n[86.863041] mm_core_init+0x22/0x2d0\n[86.863054] start_kernel+0x576/0xbd0\n[86.863068] x86_64_start_reservations+0x18/0x30\n[86.863084] x86_64_start_kernel+0xbf/0x110\n[86.863098] common_startup_64+0x13e/0x141\n[86.863114]\n-\u003e #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135] __lock_acquire+0x16\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:37.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d"
},
{
"url": "https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b"
},
{
"url": "https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd"
},
{
"url": "https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281"
},
{
"url": "https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e"
},
{
"url": "https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b"
}
],
"title": "drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68244",
"datePublished": "2025-12-16T14:21:21.277Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2026-05-11T21:49:37.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68245 (GCVE-0-2025-68245)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2026-05-11 21:49
VLAI
EPSS
Title
net: netpoll: fix incorrect refcount handling causing incorrect cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: netpoll: fix incorrect refcount handling causing incorrect cleanup
commit efa95b01da18 ("netpoll: fix use after free") incorrectly
ignored the refcount and prematurely set dev->npinfo to NULL during
netpoll cleanup, leading to improper behavior and memory leaks.
Scenario causing lack of proper cleanup:
1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is
allocated, and refcnt = 1
- Keep in mind that npinfo is shared among all netpoll instances. In
this case, there is just one.
2) Another netpoll is also associated with the same NIC and
npinfo->refcnt += 1.
- Now dev->npinfo->refcnt = 2;
- There is just one npinfo associated to the netdev.
3) When the first netpolls goes to clean up:
- The first cleanup succeeds and clears np->dev->npinfo, ignoring
refcnt.
- It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`
- Set dev->npinfo = NULL, without proper cleanup
- No ->ndo_netpoll_cleanup() is either called
4) Now the second target tries to clean up
- The second cleanup fails because np->dev->npinfo is already NULL.
* In this case, ops->ndo_netpoll_cleanup() was never called, and
the skb pool is not cleaned as well (for the second netpoll
instance)
- This leaks npinfo and skbpool skbs, which is clearly reported by
kmemleak.
Revert commit efa95b01da18 ("netpoll: fix use after free") and adds
clarifying comments emphasizing that npinfo cleanup should only happen
once the refcount reaches zero, ensuring stable and correct netpoll
behavior.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 8e6a50edad11e3e1426e4c29e7aa6201f3468ac2
(git)
Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 9b0bb18b4b9dc017c1825a2c5e763615e34a1593 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 890472d6fbf062e6de7fdd56642cb305ab79d669 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 4afd4ebbad52aa146838ec23082ba393e426a2bb (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < c645693180a98606c430825223d2029315d85e9d (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < c79a6d9da29219616b118a3adce9a14cd30f9bd0 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 9a51b5ccd1c79afec1c03a4e1e6688da52597556 (git) Affected: efa95b01da18ad22af62f6d99a3243f3be8fd264 , < 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 (git) |
|
| Linux | Linux |
Affected:
3.17
Unaffected: 0 , < 3.17 (semver) Unaffected: 5.4.302 , ≤ 5.4.* (semver) Unaffected: 5.10.247 , ≤ 5.10.* (semver) Unaffected: 5.15.197 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e6a50edad11e3e1426e4c29e7aa6201f3468ac2",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "9b0bb18b4b9dc017c1825a2c5e763615e34a1593",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "890472d6fbf062e6de7fdd56642cb305ab79d669",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "4afd4ebbad52aa146838ec23082ba393e426a2bb",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "c645693180a98606c430825223d2029315d85e9d",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "c79a6d9da29219616b118a3adce9a14cd30f9bd0",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "9a51b5ccd1c79afec1c03a4e1e6688da52597556",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
},
{
"lessThan": "49c8d2c1f94cc2f4d1a108530d7ba52614b874c2",
"status": "affected",
"version": "efa95b01da18ad22af62f6d99a3243f3be8fd264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/netpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: netpoll: fix incorrect refcount handling causing incorrect cleanup\n\ncommit efa95b01da18 (\"netpoll: fix use after free\") incorrectly\nignored the refcount and prematurely set dev-\u003enpinfo to NULL during\nnetpoll cleanup, leading to improper behavior and memory leaks.\n\nScenario causing lack of proper cleanup:\n\n1) A netpoll is associated with a NIC (e.g., eth0) and netdev-\u003enpinfo is\n allocated, and refcnt = 1\n - Keep in mind that npinfo is shared among all netpoll instances. In\n this case, there is just one.\n\n2) Another netpoll is also associated with the same NIC and\n npinfo-\u003erefcnt += 1.\n - Now dev-\u003enpinfo-\u003erefcnt = 2;\n - There is just one npinfo associated to the netdev.\n\n3) When the first netpolls goes to clean up:\n - The first cleanup succeeds and clears np-\u003edev-\u003enpinfo, ignoring\n refcnt.\n - It basically calls `RCU_INIT_POINTER(np-\u003edev-\u003enpinfo, NULL);`\n - Set dev-\u003enpinfo = NULL, without proper cleanup\n - No -\u003endo_netpoll_cleanup() is either called\n\n4) Now the second target tries to clean up\n - The second cleanup fails because np-\u003edev-\u003enpinfo is already NULL.\n * In this case, ops-\u003endo_netpoll_cleanup() was never called, and\n the skb pool is not cleaned as well (for the second netpoll\n instance)\n - This leaks npinfo and skbpool skbs, which is clearly reported by\n kmemleak.\n\nRevert commit efa95b01da18 (\"netpoll: fix use after free\") and adds\nclarifying comments emphasizing that npinfo cleanup should only happen\nonce the refcount reaches zero, ensuring stable and correct netpoll\nbehavior."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:38.460Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e6a50edad11e3e1426e4c29e7aa6201f3468ac2"
},
{
"url": "https://git.kernel.org/stable/c/9b0bb18b4b9dc017c1825a2c5e763615e34a1593"
},
{
"url": "https://git.kernel.org/stable/c/890472d6fbf062e6de7fdd56642cb305ab79d669"
},
{
"url": "https://git.kernel.org/stable/c/4afd4ebbad52aa146838ec23082ba393e426a2bb"
},
{
"url": "https://git.kernel.org/stable/c/c645693180a98606c430825223d2029315d85e9d"
},
{
"url": "https://git.kernel.org/stable/c/c79a6d9da29219616b118a3adce9a14cd30f9bd0"
},
{
"url": "https://git.kernel.org/stable/c/9a51b5ccd1c79afec1c03a4e1e6688da52597556"
},
{
"url": "https://git.kernel.org/stable/c/49c8d2c1f94cc2f4d1a108530d7ba52614b874c2"
}
],
"title": "net: netpoll: fix incorrect refcount handling causing incorrect cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68245",
"datePublished": "2025-12-16T14:21:22.348Z",
"dateReserved": "2025-12-16T13:41:40.264Z",
"dateUpdated": "2026-05-11T21:49:38.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68246 (GCVE-0-2025-68246)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2026-05-11 21:49
VLAI
EPSS
Title
ksmbd: close accepted socket when per-IP limit rejects connection
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: close accepted socket when per-IP limit rejects connection
When the per-IP connection limit is exceeded in ksmbd_kthread_fn(),
the code sets ret = -EAGAIN and continues the accept loop without
closing the just-accepted socket. That leaks one socket per rejected
attempt from a single IP and enables a trivial remote DoS.
Release client_sk before continuing.
This bug was found with ZeroPath.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0626e6641f6b467447c81dd7678a69c66f7746cf , < 7a3c7154d5fc05956a8ad9e72ecf49e21555bfca
(git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 5746b2a0f5eb3d79667b3c51fe849bd62464220e (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 4587a7826be1ae0190dba10ff70b46bb0e3bc7d3 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 35521b5a7e8a184548125f4530552101236dcda1 (git) Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.117 , ≤ 6.6.* (semver) Unaffected: 6.12.59 , ≤ 6.12.* (semver) Unaffected: 6.17.9 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a3c7154d5fc05956a8ad9e72ecf49e21555bfca",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "5746b2a0f5eb3d79667b3c51fe849bd62464220e",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "4587a7826be1ae0190dba10ff70b46bb0e3bc7d3",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "35521b5a7e8a184548125f4530552101236dcda1",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
},
{
"lessThan": "98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9",
"status": "affected",
"version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/transport_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: close accepted socket when per-IP limit rejects connection\n\nWhen the per-IP connection limit is exceeded in ksmbd_kthread_fn(),\nthe code sets ret = -EAGAIN and continues the accept loop without\nclosing the just-accepted socket. That leaks one socket per rejected\nattempt from a single IP and enables a trivial remote DoS.\n\nRelease client_sk before continuing.\n\nThis bug was found with ZeroPath."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:49:39.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a3c7154d5fc05956a8ad9e72ecf49e21555bfca"
},
{
"url": "https://git.kernel.org/stable/c/5746b2a0f5eb3d79667b3c51fe849bd62464220e"
},
{
"url": "https://git.kernel.org/stable/c/4587a7826be1ae0190dba10ff70b46bb0e3bc7d3"
},
{
"url": "https://git.kernel.org/stable/c/35521b5a7e8a184548125f4530552101236dcda1"
},
{
"url": "https://git.kernel.org/stable/c/98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9"
}
],
"title": "ksmbd: close accepted socket when per-IP limit rejects connection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68246",
"datePublished": "2025-12-16T14:21:23.551Z",
"dateReserved": "2025-12-16T13:41:40.264Z",
"dateUpdated": "2026-05-11T21:49:39.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68282 (GCVE-0-2025-68282)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-05-11 21:50
VLAI
EPSS
Title
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < dddc944d65169b552e09cb54e3ed4fbb9ea26416
(git)
Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < c12a0c3ef815ddd67e47f9c819f9fe822fed5467 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < f02a412c0a18f02f0f91b0a3d9788315a721b7fd (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < 10014310193cf6736c1aeb4105c5f4a0818d0c65 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < 3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9 (git) Affected: 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 , < baeb66fbd4201d1c4325074e78b1f557dff89b5b (git) |
|
| Linux | Linux |
Affected:
3.12
Unaffected: 0 , < 3.12 (semver) Unaffected: 5.10.248 , ≤ 5.10.* (semver) Unaffected: 5.15.198 , ≤ 5.15.* (semver) Unaffected: 6.1.159 , ≤ 6.1.* (semver) Unaffected: 6.6.119 , ≤ 6.6.* (semver) Unaffected: 6.12.61 , ≤ 6.12.* (semver) Unaffected: 6.17.11 , ≤ 6.17.* (semver) Unaffected: 6.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c",
"include/linux/usb/gadget.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dddc944d65169b552e09cb54e3ed4fbb9ea26416",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "c12a0c3ef815ddd67e47f9c819f9fe822fed5467",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "f02a412c0a18f02f0f91b0a3d9788315a721b7fd",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "10014310193cf6736c1aeb4105c5f4a0818d0c65",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
},
{
"lessThan": "baeb66fbd4201d1c4325074e78b1f557dff89b5b",
"status": "affected",
"version": "5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c",
"include/linux/usb/gadget.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: udc: fix use-after-free in usb_gadget_state_work\n\nA race condition during gadget teardown can lead to a use-after-free\nin usb_gadget_state_work(), as reported by KASAN:\n\n BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0\n Workqueue: events usb_gadget_state_work\n\nThe fundamental race occurs because a concurrent event (e.g., an\ninterrupt) can call usb_gadget_set_state() and schedule gadget-\u003ework\nat any time during the cleanup process in usb_del_gadget().\n\nCommit 399a45e5237c (\"usb: gadget: core: flush gadget workqueue after\ndevice removal\") attempted to fix this by moving flush_work() to after\ndevice_del(). However, this does not fully solve the race, as a new\nwork item can still be scheduled *after* flush_work() completes but\nbefore the gadget\u0027s memory is freed, leading to the same use-after-free.\n\nThis patch fixes the race condition robustly by introducing a \u0027teardown\u0027\nflag and a \u0027state_lock\u0027 spinlock to the usb_gadget struct. The flag is\nset during cleanup in usb_del_gadget() *before* calling flush_work() to\nprevent any new work from being scheduled once cleanup has commenced.\nThe scheduling site, usb_gadget_set_state(), now checks this flag under\nthe lock before queueing the work, thus safely closing the race window."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:50:08.718Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dddc944d65169b552e09cb54e3ed4fbb9ea26416"
},
{
"url": "https://git.kernel.org/stable/c/eee16f3ff08e759ea828bdf7dc1c0ef2f22134f5"
},
{
"url": "https://git.kernel.org/stable/c/c12a0c3ef815ddd67e47f9c819f9fe822fed5467"
},
{
"url": "https://git.kernel.org/stable/c/f02a412c0a18f02f0f91b0a3d9788315a721b7fd"
},
{
"url": "https://git.kernel.org/stable/c/10014310193cf6736c1aeb4105c5f4a0818d0c65"
},
{
"url": "https://git.kernel.org/stable/c/3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9"
},
{
"url": "https://git.kernel.org/stable/c/baeb66fbd4201d1c4325074e78b1f557dff89b5b"
}
],
"title": "usb: gadget: udc: fix use-after-free in usb_gadget_state_work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68282",
"datePublished": "2025-12-16T15:06:04.332Z",
"dateReserved": "2025-12-16T14:48:05.291Z",
"dateUpdated": "2026-05-11T21:50:08.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…