Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0130
Vulnerability from certfr_avis - Published: 2026-02-06 - Updated: 2026-02-06
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for x86_64 - Extended Life Cycle Support 7 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server - AUS 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for x86_64 9 x86_64 | ||
| Red Hat | N/A | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le | ||
| Red Hat | N/A | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 | ||
| Red Hat | N/A | Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for x86_64 - Extended Life Cycle Support 7 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 9 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 9 aarch64",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x",
"product": {
"name": "N/A",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2023-53034",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53034"
},
{
"name": "CVE-2025-40251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40251"
},
{
"name": "CVE-2025-37789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37789"
},
{
"name": "CVE-2022-50341",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50341"
},
{
"name": "CVE-2025-38022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38022"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-38459",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38459"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2025-39898",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39898"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2025-38024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38024"
},
{
"name": "CVE-2025-38568",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38568"
},
{
"name": "CVE-2023-53539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53539"
},
{
"name": "CVE-2025-39760",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39760"
},
{
"name": "CVE-2025-39971",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39971"
},
{
"name": "CVE-2025-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40154"
},
{
"name": "CVE-2023-53751",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53751"
},
{
"name": "CVE-2025-38415",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38415"
},
{
"name": "CVE-2022-50865",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50865"
},
{
"name": "CVE-2022-49581",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49581"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2022-49290",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49290"
},
{
"name": "CVE-2022-49667",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49667"
},
{
"name": "CVE-2025-68301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68301"
},
{
"name": "CVE-2025-21863",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21863"
},
{
"name": "CVE-2025-38051",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38051"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2024-26766",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26766"
},
{
"name": "CVE-2025-37849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37849"
}
],
"initial_release_date": "2026-02-06T00:00:00",
"last_revision_date": "2026-02-06T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0130",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2026-02-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1886",
"url": "https://access.redhat.com/errata/RHSA-2026:1886"
},
{
"published_at": "2026-02-02",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1662",
"url": "https://access.redhat.com/errata/RHSA-2026:1662"
},
{
"published_at": "2026-02-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1946",
"url": "https://access.redhat.com/errata/RHSA-2026:1946"
},
{
"published_at": "2026-02-02",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1617",
"url": "https://access.redhat.com/errata/RHSA-2026:1617"
},
{
"published_at": "2026-02-02",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1703",
"url": "https://access.redhat.com/errata/RHSA-2026:1703"
},
{
"published_at": "2026-02-02",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1623",
"url": "https://access.redhat.com/errata/RHSA-2026:1623"
},
{
"published_at": "2026-01-28",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1494",
"url": "https://access.redhat.com/errata/RHSA-2026:1494"
},
{
"published_at": "2026-02-02",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2026:1661",
"url": "https://access.redhat.com/errata/RHSA-2026:1661"
}
]
}
CVE-2022-49290 (GCVE-0-2022-49290)
Vulnerability from cvelistv5 – Published: 2025-02-26 01:56 – Updated: 2026-05-11 18:56
VLAI?
EPSS
Title
mac80211: fix potential double free on mesh join
Summary
In the Linux kernel, the following vulnerability has been resolved:
mac80211: fix potential double free on mesh join
While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving
mesh") fixed a memory leak on mesh leave / teardown it introduced a
potential memory corruption caused by a double free when rejoining the
mesh:
ieee80211_leave_mesh()
-> kfree(sdata->u.mesh.ie);
...
ieee80211_join_mesh()
-> copy_mesh_setup()
-> old_ie = ifmsh->ie;
-> kfree(old_ie);
This double free / kernel panics can be reproduced by using wpa_supplicant
with an encrypted mesh (if set up without encryption via "iw" then
ifmsh->ie is always NULL, which avoids this issue). And then calling:
$ iw dev mesh0 mesh leave
$ iw dev mesh0 mesh join my-mesh
Note that typically these commands are not used / working when using
wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going
through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join
where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of
default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids
the memory corruption, too.
The issue was first observed in an application which was not using
wpa_supplicant but "Senf" instead, which implements its own calls to
nl80211.
Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh
join function and leaving it solely up to the mesh leave to free the
mesh IE.
Severity ?
7.8 (High)
CWE
- CWE-415 - Double Free
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3212d6248faf0efce6b7a718e198feecce0eea05 , < 615716af8644813355e014314a0bc1e961250f5a
(git)
Affected: 86e7d4cd2ed5f4b0188afce8199faffcf1ae7c7e , < c1d9c3628ef0a0ca197595d0f9e01cd3b5dda186 (git) Affected: 37bccfa89559a70c044b5ccde3c916a91388e14a , < 273ebddc5fda2967492cb0b6cdd7d81cfb821b76 (git) Affected: 3f15e3e62c80e180282f0cbc5559264e11c328b7 , < 3bbd0000d012f92aec423b224784fbf0f7bf40f8 (git) Affected: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 , < 5d3ff9542a40ce034416bca03864709540a36016 (git) Affected: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 , < 12e407a8ef17623823fd0c066fbd7f103953d28d (git) Affected: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 , < 582d8c60c0c053684f7138875e8150d5749ffc17 (git) Affected: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 , < 46bb87d40683337757a2f902fcd4244b32bb4e86 (git) Affected: 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 , < 4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3 (git) Affected: 12e9cb1e7c93413112260991d094cfda712fdc97 (git) Affected: 4f3193e08602462a806e8f53212e79c60a6f7488 (git) |
|
| Linux | Linux |
Affected:
5.8
Unaffected: 0 , < 5.8 (semver) Unaffected: 4.9.309 , ≤ 4.9.* (semver) Unaffected: 4.14.274 , ≤ 4.14.* (semver) Unaffected: 4.19.237 , ≤ 4.19.* (semver) Unaffected: 5.4.188 , ≤ 5.4.* (semver) Unaffected: 5.10.109 , ≤ 5.10.* (semver) Unaffected: 5.15.32 , ≤ 5.15.* (semver) Unaffected: 5.16.18 , ≤ 5.16.* (semver) Unaffected: 5.17.1 , ≤ 5.17.* (semver) Unaffected: 5.18 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:45:11.938129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-415",
"description": "CWE-415 Double Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:47:00.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "615716af8644813355e014314a0bc1e961250f5a",
"status": "affected",
"version": "3212d6248faf0efce6b7a718e198feecce0eea05",
"versionType": "git"
},
{
"lessThan": "c1d9c3628ef0a0ca197595d0f9e01cd3b5dda186",
"status": "affected",
"version": "86e7d4cd2ed5f4b0188afce8199faffcf1ae7c7e",
"versionType": "git"
},
{
"lessThan": "273ebddc5fda2967492cb0b6cdd7d81cfb821b76",
"status": "affected",
"version": "37bccfa89559a70c044b5ccde3c916a91388e14a",
"versionType": "git"
},
{
"lessThan": "3bbd0000d012f92aec423b224784fbf0f7bf40f8",
"status": "affected",
"version": "3f15e3e62c80e180282f0cbc5559264e11c328b7",
"versionType": "git"
},
{
"lessThan": "5d3ff9542a40ce034416bca03864709540a36016",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "12e407a8ef17623823fd0c066fbd7f103953d28d",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "582d8c60c0c053684f7138875e8150d5749ffc17",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "46bb87d40683337757a2f902fcd4244b32bb4e86",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"lessThan": "4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3",
"status": "affected",
"version": "6a01afcf8468d3ca2bd8bbb27503f60dcf643b20",
"versionType": "git"
},
{
"status": "affected",
"version": "12e9cb1e7c93413112260991d094cfda712fdc97",
"versionType": "git"
},
{
"status": "affected",
"version": "4f3193e08602462a806e8f53212e79c60a6f7488",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/cfg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.309",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.309",
"versionStartIncluding": "4.9.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.274",
"versionStartIncluding": "4.14.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.237",
"versionStartIncluding": "4.19.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.188",
"versionStartIncluding": "5.4.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.109",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.32",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.1",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.233",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix potential double free on mesh join\n\nWhile commit 6a01afcf8468 (\"mac80211: mesh: Free ie data when leaving\nmesh\") fixed a memory leak on mesh leave / teardown it introduced a\npotential memory corruption caused by a double free when rejoining the\nmesh:\n\n ieee80211_leave_mesh()\n -\u003e kfree(sdata-\u003eu.mesh.ie);\n ...\n ieee80211_join_mesh()\n -\u003e copy_mesh_setup()\n -\u003e old_ie = ifmsh-\u003eie;\n -\u003e kfree(old_ie);\n\nThis double free / kernel panics can be reproduced by using wpa_supplicant\nwith an encrypted mesh (if set up without encryption via \"iw\" then\nifmsh-\u003eie is always NULL, which avoids this issue). And then calling:\n\n $ iw dev mesh0 mesh leave\n $ iw dev mesh0 mesh join my-mesh\n\nNote that typically these commands are not used / working when using\nwpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going\nthrough a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join\nwhere the NETDEV_UP resets the mesh.ie to NULL via a memcpy of\ndefault_mesh_setup in cfg80211_netdev_notifier_call, which then avoids\nthe memory corruption, too.\n\nThe issue was first observed in an application which was not using\nwpa_supplicant but \"Senf\" instead, which implements its own calls to\nnl80211.\n\nFixing the issue by removing the kfree()\u0027ing of the mesh IE in the mesh\njoin function and leaving it solely up to the mesh leave to free the\nmesh IE."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:56:49.975Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/615716af8644813355e014314a0bc1e961250f5a"
},
{
"url": "https://git.kernel.org/stable/c/c1d9c3628ef0a0ca197595d0f9e01cd3b5dda186"
},
{
"url": "https://git.kernel.org/stable/c/273ebddc5fda2967492cb0b6cdd7d81cfb821b76"
},
{
"url": "https://git.kernel.org/stable/c/3bbd0000d012f92aec423b224784fbf0f7bf40f8"
},
{
"url": "https://git.kernel.org/stable/c/5d3ff9542a40ce034416bca03864709540a36016"
},
{
"url": "https://git.kernel.org/stable/c/12e407a8ef17623823fd0c066fbd7f103953d28d"
},
{
"url": "https://git.kernel.org/stable/c/582d8c60c0c053684f7138875e8150d5749ffc17"
},
{
"url": "https://git.kernel.org/stable/c/46bb87d40683337757a2f902fcd4244b32bb4e86"
},
{
"url": "https://git.kernel.org/stable/c/4a2d4496e15ea5bb5c8e83b94ca8ca7fb045e7d3"
}
],
"title": "mac80211: fix potential double free on mesh join",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49290",
"datePublished": "2025-02-26T01:56:27.500Z",
"dateReserved": "2025-02-26T01:49:39.302Z",
"dateUpdated": "2026-05-11T18:56:49.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49581 (GCVE-0-2022-49581)
Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2026-05-11 19:02
VLAI?
EPSS
Title
be2net: Fix buffer overflow in be_get_module_eeprom
Summary
In the Linux kernel, the following vulnerability has been resolved:
be2net: Fix buffer overflow in be_get_module_eeprom
be_cmd_read_port_transceiver_data assumes that it is given a buffer that
is at least PAGE_DATA_LEN long, or twice that if the module supports SFF
8472. However, this is not always the case.
Fix this by passing the desired offset and length to
be_cmd_read_port_transceiver_data so that we only copy the bytes once.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e36edd9d26cf257511548edaf2b7a56eb4fed854 , < a5a8fc0679a8fd58d47aa2ebcfc5742631f753f9
(git)
Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < fe4473fc7940f14c4a12db873b9729134c212654 (git) Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < 8ff4f9df73e5c551a72ee6034886c17e8de6596d (git) Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < a8569f76df7ec5b4b51155c57523a0b356db5741 (git) Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < 665cbe91de2f7c97c51ca8fce39aae26477c1948 (git) Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < aba8ff847f4f927ad7a1a1ee4a9f29989a1a728f (git) Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < 18043da94c023f3ef09c15017bdb04e8f695ef10 (git) Affected: e36edd9d26cf257511548edaf2b7a56eb4fed854 , < d7241f679a59cfe27f92cb5c6272cb429fb1f7ec (git) |
|
| Linux | Linux |
Affected:
3.18
Unaffected: 0 , < 3.18 (semver) Unaffected: 4.9.325 , ≤ 4.9.* (semver) Unaffected: 4.14.290 , ≤ 4.14.* (semver) Unaffected: 4.19.254 , ≤ 4.19.* (semver) Unaffected: 5.4.208 , ≤ 5.4.* (semver) Unaffected: 5.10.134 , ≤ 5.10.* (semver) Unaffected: 5.15.58 , ≤ 5.15.* (semver) Unaffected: 5.18.15 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c",
"drivers/net/ethernet/emulex/benet/be_cmds.h",
"drivers/net/ethernet/emulex/benet/be_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5a8fc0679a8fd58d47aa2ebcfc5742631f753f9",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "fe4473fc7940f14c4a12db873b9729134c212654",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "8ff4f9df73e5c551a72ee6034886c17e8de6596d",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "a8569f76df7ec5b4b51155c57523a0b356db5741",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "665cbe91de2f7c97c51ca8fce39aae26477c1948",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "aba8ff847f4f927ad7a1a1ee4a9f29989a1a728f",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "18043da94c023f3ef09c15017bdb04e8f695ef10",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
},
{
"lessThan": "d7241f679a59cfe27f92cb5c6272cb429fb1f7ec",
"status": "affected",
"version": "e36edd9d26cf257511548edaf2b7a56eb4fed854",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/emulex/benet/be_cmds.c",
"drivers/net/ethernet/emulex/benet/be_cmds.h",
"drivers/net/ethernet/emulex/benet/be_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.325",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.290",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.325",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.290",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: Fix buffer overflow in be_get_module_eeprom\n\nbe_cmd_read_port_transceiver_data assumes that it is given a buffer that\nis at least PAGE_DATA_LEN long, or twice that if the module supports SFF\n8472. However, this is not always the case.\n\nFix this by passing the desired offset and length to\nbe_cmd_read_port_transceiver_data so that we only copy the bytes once."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:02:42.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5a8fc0679a8fd58d47aa2ebcfc5742631f753f9"
},
{
"url": "https://git.kernel.org/stable/c/fe4473fc7940f14c4a12db873b9729134c212654"
},
{
"url": "https://git.kernel.org/stable/c/8ff4f9df73e5c551a72ee6034886c17e8de6596d"
},
{
"url": "https://git.kernel.org/stable/c/a8569f76df7ec5b4b51155c57523a0b356db5741"
},
{
"url": "https://git.kernel.org/stable/c/665cbe91de2f7c97c51ca8fce39aae26477c1948"
},
{
"url": "https://git.kernel.org/stable/c/aba8ff847f4f927ad7a1a1ee4a9f29989a1a728f"
},
{
"url": "https://git.kernel.org/stable/c/18043da94c023f3ef09c15017bdb04e8f695ef10"
},
{
"url": "https://git.kernel.org/stable/c/d7241f679a59cfe27f92cb5c6272cb429fb1f7ec"
}
],
"title": "be2net: Fix buffer overflow in be_get_module_eeprom",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49581",
"datePublished": "2025-02-26T02:23:19.148Z",
"dateReserved": "2025-02-26T02:21:30.412Z",
"dateUpdated": "2026-05-11T19:02:42.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49667 (GCVE-0-2022-49667)
Vulnerability from cvelistv5 – Published: 2025-02-26 02:24 – Updated: 2026-05-11 19:04
VLAI?
EPSS
Title
net: bonding: fix use-after-free after 802.3ad slave unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix use-after-free after 802.3ad slave unbind
commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"),
resolve case, when there is several aggregation groups in the same bond.
bond_3ad_unbind_slave will invalidate (clear) aggregator when
__agg_active_ports return zero. So, ad_clear_agg can be executed even, when
num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,
previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave
will not update slave ports list, because lag_ports==NULL. So, here we
got slave ports, pointing to freed aggregator memory.
Fix with checking actual number of ports in group (as was before
commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ),
before ad_clear_agg().
The KASAN logs are as follows:
[ 767.617392] ==================================================================
[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470
[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767
[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15
[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)
[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler
[ 767.666468] Call trace:
[ 767.668930] dump_backtrace+0x0/0x2d0
[ 767.672625] show_stack+0x24/0x30
[ 767.675965] dump_stack_lvl+0x68/0x84
[ 767.679659] print_address_description.constprop.0+0x74/0x2b8
[ 767.685451] kasan_report+0x1f0/0x260
[ 767.689148] __asan_load2+0x94/0xd0
[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0622cab0341cac6b30da177b0faa39fae0680e71 , < a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e
(git)
Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < b90ac60303063a43e17dd4aec159067599d255e6 (git) Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < f162f7c348fa2a5555bafdb5cc890b89b221e69c (git) Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < 893825289ba840afd86bfffcb6f7f363c73efff8 (git) Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < 63b2fe509f69b90168a75e04e14573dccf7984e6 (git) Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < ef0af7d08d26c5333ff4944a559279464edf6f15 (git) Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < 2765749def4765c5052a4c66445cf4c96fcccdbc (git) Affected: 0622cab0341cac6b30da177b0faa39fae0680e71 , < 050133e1aa2cb49bb17be847d48a4431598ef562 (git) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 4.9.322 , ≤ 4.9.* (semver) Unaffected: 4.14.287 , ≤ 4.14.* (semver) Unaffected: 4.19.251 , ≤ 4.19.* (semver) Unaffected: 5.4.204 , ≤ 5.4.* (semver) Unaffected: 5.10.129 , ≤ 5.10.* (semver) Unaffected: 5.15.53 , ≤ 5.15.* (semver) Unaffected: 5.18.10 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49667",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T18:15:14.271545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T18:22:31.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_3ad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "b90ac60303063a43e17dd4aec159067599d255e6",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "f162f7c348fa2a5555bafdb5cc890b89b221e69c",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "893825289ba840afd86bfffcb6f7f363c73efff8",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "63b2fe509f69b90168a75e04e14573dccf7984e6",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "ef0af7d08d26c5333ff4944a559279464edf6f15",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "2765749def4765c5052a4c66445cf4c96fcccdbc",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
},
{
"lessThan": "050133e1aa2cb49bb17be847d48a4431598ef562",
"status": "affected",
"version": "0622cab0341cac6b30da177b0faa39fae0680e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_3ad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.322",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.287",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.251",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.204",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.129",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.53",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.10",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free after 802.3ad slave unbind\n\ncommit 0622cab0341c (\"bonding: fix 802.3ad aggregator reselection\"),\nresolve case, when there is several aggregation groups in the same bond.\nbond_3ad_unbind_slave will invalidate (clear) aggregator when\n__agg_active_ports return zero. So, ad_clear_agg can be executed even, when\nnum_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,\npreviously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave\nwill not update slave ports list, because lag_ports==NULL. So, here we\ngot slave ports, pointing to freed aggregator memory.\n\nFix with checking actual number of ports in group (as was before\ncommit 0622cab0341c (\"bonding: fix 802.3ad aggregator reselection\") ),\nbefore ad_clear_agg().\n\nThe KASAN logs are as follows:\n\n[ 767.617392] ==================================================================\n[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470\n[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767\n[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15\n[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)\n[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler\n[ 767.666468] Call trace:\n[ 767.668930] dump_backtrace+0x0/0x2d0\n[ 767.672625] show_stack+0x24/0x30\n[ 767.675965] dump_stack_lvl+0x68/0x84\n[ 767.679659] print_address_description.constprop.0+0x74/0x2b8\n[ 767.685451] kasan_report+0x1f0/0x260\n[ 767.689148] __asan_load2+0x94/0xd0\n[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:04:21.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e"
},
{
"url": "https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6"
},
{
"url": "https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c"
},
{
"url": "https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8"
},
{
"url": "https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6"
},
{
"url": "https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15"
},
{
"url": "https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc"
},
{
"url": "https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562"
}
],
"title": "net: bonding: fix use-after-free after 802.3ad slave unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49667",
"datePublished": "2025-02-26T02:24:01.818Z",
"dateReserved": "2025-02-26T02:21:30.436Z",
"dateUpdated": "2026-05-11T19:04:21.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50341 (GCVE-0-2022-50341)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-05-11 19:17
VLAI?
EPSS
Title
cifs: fix oops during encryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix oops during encryption
When running xfstests against Azure the following oops occurred on an
arm64 system
Unable to handle kernel write to read-only memory at virtual address
ffff0001221cf000
Mem abort info:
ESR = 0x9600004f
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x0f: level 3 permission fault
Data abort info:
ISV = 0, ISS = 0x0000004f
CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
[ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
Internal error: Oops: 9600004f [#1] PREEMPT SMP
...
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
pc : __memcpy+0x40/0x230
lr : scatterwalk_copychunks+0xe0/0x200
sp : ffff800014e92de0
x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
Call trace:
__memcpy+0x40/0x230
scatterwalk_map_and_copy+0x98/0x100
crypto_ccm_encrypt+0x150/0x180
crypto_aead_encrypt+0x2c/0x40
crypt_message+0x750/0x880
smb3_init_transform_rq+0x298/0x340
smb_send_rqst.part.11+0xd8/0x180
smb_send_rqst+0x3c/0x100
compound_send_recv+0x534/0xbc0
smb2_query_info_compound+0x32c/0x440
smb2_set_ea+0x438/0x4c0
cifs_xattr_set+0x5d4/0x7c0
This is because in scatterwalk_copychunks(), we attempted to write to
a buffer (@sign) that was allocated in the stack (vmalloc area) by
crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
crossing a page boundary.
To simply fix it, we could just pass @sign kmalloc'd from
crypt_message() and then we're done. Luckily, we don't seem to pass
any other vmalloc'd buffers in smb_rqst::rq_iov...
Instead, let's map the correct pages and offsets from vmalloc buffers
as well in cifs_sg_set_buf() and then avoiding such oopses.
Severity ?
5.5 (Medium)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < e8e2861cc3258dbe407d01ea8c59bb5a53132301
(git)
Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < fe6ea044c4f05706cb71040055b1c70c6c8275e0 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < bf0543b93740916ee91956f9a63da6fc0d79daaa (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < e8d16a54842d609fd4a3ed2d81d4333d6329aa94 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < f7f291e14dde32a07b1f0aa06921d28f875a7b54 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.4.229 , ≤ 5.4.* (semver) Unaffected: 5.10.163 , ≤ 5.10.* (semver) Unaffected: 5.15.87 , ≤ 5.15.* (semver) Unaffected: 6.0.16 , ≤ 6.0.* (semver) Unaffected: 6.1.1 , ≤ 6.1.* (semver) Unaffected: 6.2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-50341",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:19:48.496611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:22:57.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsglob.h",
"fs/cifs/cifsproto.h",
"fs/cifs/misc.c",
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8e2861cc3258dbe407d01ea8c59bb5a53132301",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "fe6ea044c4f05706cb71040055b1c70c6c8275e0",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "bf0543b93740916ee91956f9a63da6fc0d79daaa",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "e8d16a54842d609fd4a3ed2d81d4333d6329aa94",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "f7f291e14dde32a07b1f0aa06921d28f875a7b54",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsglob.h",
"fs/cifs/cifsproto.h",
"fs/cifs/misc.c",
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.1",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix oops during encryption\n\nWhen running xfstests against Azure the following oops occurred on an\narm64 system\n\n Unable to handle kernel write to read-only memory at virtual address\n ffff0001221cf000\n Mem abort info:\n ESR = 0x9600004f\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x0f: level 3 permission fault\n Data abort info:\n ISV = 0, ISS = 0x0000004f\n CM = 0, WnR = 1\n swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000\n [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,\n pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787\n Internal error: Oops: 9600004f [#1] PREEMPT SMP\n ...\n pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)\n pc : __memcpy+0x40/0x230\n lr : scatterwalk_copychunks+0xe0/0x200\n sp : ffff800014e92de0\n x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008\n x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008\n x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000\n x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014\n x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058\n x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590\n x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580\n x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005\n x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001\n x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000\n Call trace:\n __memcpy+0x40/0x230\n scatterwalk_map_and_copy+0x98/0x100\n crypto_ccm_encrypt+0x150/0x180\n crypto_aead_encrypt+0x2c/0x40\n crypt_message+0x750/0x880\n smb3_init_transform_rq+0x298/0x340\n smb_send_rqst.part.11+0xd8/0x180\n smb_send_rqst+0x3c/0x100\n compound_send_recv+0x534/0xbc0\n smb2_query_info_compound+0x32c/0x440\n smb2_set_ea+0x438/0x4c0\n cifs_xattr_set+0x5d4/0x7c0\n\nThis is because in scatterwalk_copychunks(), we attempted to write to\na buffer (@sign) that was allocated in the stack (vmalloc area) by\ncrypt_message() and thus accessing its remaining 8 (x2) bytes ended up\ncrossing a page boundary.\n\nTo simply fix it, we could just pass @sign kmalloc\u0027d from\ncrypt_message() and then we\u0027re done. Luckily, we don\u0027t seem to pass\nany other vmalloc\u0027d buffers in smb_rqst::rq_iov...\n\nInstead, let\u0027s map the correct pages and offsets from vmalloc buffers\nas well in cifs_sg_set_buf() and then avoiding such oopses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:17:33.655Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8e2861cc3258dbe407d01ea8c59bb5a53132301"
},
{
"url": "https://git.kernel.org/stable/c/fe6ea044c4f05706cb71040055b1c70c6c8275e0"
},
{
"url": "https://git.kernel.org/stable/c/bf0543b93740916ee91956f9a63da6fc0d79daaa"
},
{
"url": "https://git.kernel.org/stable/c/a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9"
},
{
"url": "https://git.kernel.org/stable/c/e8d16a54842d609fd4a3ed2d81d4333d6329aa94"
},
{
"url": "https://git.kernel.org/stable/c/f7f291e14dde32a07b1f0aa06921d28f875a7b54"
}
],
"title": "cifs: fix oops during encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50341",
"datePublished": "2025-09-16T16:11:20.838Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2026-05-11T19:17:33.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50865 (GCVE-0-2022-50865)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-05-11 19:26
VLAI?
EPSS
Title
tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and
in tcp_add_backlog(), the variable limit is caculated by adding
sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value
of int and overflow. This patch reduces the limit budget by
halving the sndbuf to solve this issue since ACK packets are much
smaller than the payload.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c9c3321257e1b95be9b375f811fb250162af8d39 , < 9d04b4d0feee12bce6bfe37f30d8e953d3c30368
(git)
Affected: c9c3321257e1b95be9b375f811fb250162af8d39 , < 4f23cb2be530785db284a685d1b1c30224d8a538 (git) Affected: c9c3321257e1b95be9b375f811fb250162af8d39 , < a85d39f14aa8a71e29cfb5eb5de02878a8779898 (git) Affected: c9c3321257e1b95be9b375f811fb250162af8d39 , < 28addf029417d53b1df062b4c87feb7bc033cb5f (git) Affected: c9c3321257e1b95be9b375f811fb250162af8d39 , < ec791d8149ff60c40ad2074af3b92a39c916a03f (git) |
|
| Linux | Linux |
Affected:
4.9
Unaffected: 0 , < 4.9 (semver) Unaffected: 5.4.278 , ≤ 5.4.* (semver) Unaffected: 5.10.153 , ≤ 5.10.* (semver) Unaffected: 5.15.77 , ≤ 5.15.* (semver) Unaffected: 6.0.7 , ≤ 6.0.* (semver) Unaffected: 6.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_ipv4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d04b4d0feee12bce6bfe37f30d8e953d3c30368",
"status": "affected",
"version": "c9c3321257e1b95be9b375f811fb250162af8d39",
"versionType": "git"
},
{
"lessThan": "4f23cb2be530785db284a685d1b1c30224d8a538",
"status": "affected",
"version": "c9c3321257e1b95be9b375f811fb250162af8d39",
"versionType": "git"
},
{
"lessThan": "a85d39f14aa8a71e29cfb5eb5de02878a8779898",
"status": "affected",
"version": "c9c3321257e1b95be9b375f811fb250162af8d39",
"versionType": "git"
},
{
"lessThan": "28addf029417d53b1df062b4c87feb7bc033cb5f",
"status": "affected",
"version": "c9c3321257e1b95be9b375f811fb250162af8d39",
"versionType": "git"
},
{
"lessThan": "ec791d8149ff60c40ad2074af3b92a39c916a03f",
"status": "affected",
"version": "c9c3321257e1b95be9b375f811fb250162af8d39",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_ipv4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.278",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.278",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix a signed-integer-overflow bug in tcp_add_backlog()\n\nThe type of sk_rcvbuf and sk_sndbuf in struct sock is int, and\nin tcp_add_backlog(), the variable limit is caculated by adding\nsk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value\nof int and overflow. This patch reduces the limit budget by\nhalving the sndbuf to solve this issue since ACK packets are much\nsmaller than the payload."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:26:37.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d04b4d0feee12bce6bfe37f30d8e953d3c30368"
},
{
"url": "https://git.kernel.org/stable/c/4f23cb2be530785db284a685d1b1c30224d8a538"
},
{
"url": "https://git.kernel.org/stable/c/a85d39f14aa8a71e29cfb5eb5de02878a8779898"
},
{
"url": "https://git.kernel.org/stable/c/28addf029417d53b1df062b4c87feb7bc033cb5f"
},
{
"url": "https://git.kernel.org/stable/c/ec791d8149ff60c40ad2074af3b92a39c916a03f"
}
],
"title": "tcp: fix a signed-integer-overflow bug in tcp_add_backlog()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50865",
"datePublished": "2025-12-30T12:15:37.150Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2026-05-11T19:26:37.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53034 (GCVE-0-2023-53034)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2026-05-11 19:37
VLAI?
EPSS
Title
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
size. This would make xlate_pos negative.
[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
[ 23.734158] ================================================================================
[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
[ 23.734418] shift exponent -1 is negative
Ensuring xlate_pos is a positive or zero before BIT.
Severity ?
No CVSS data available.
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < f56951f211f181410a383d305e8d370993e45294
(git)
Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < 5b6857bb3bfb0dae17fab1e42c1e82c204a508b1 (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < 2429bdf26a0f3950fdd996861e9c1a3873af1dbe (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < 7ed22f8d8be26225a78cf5e85b2036421a6bf2d5 (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < c61a3f2df162ba424be0141649a9ef5f28eaccc1 (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < cb153bdc1812a3375639ed6ca5f147eaefb65349 (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < 36d32cfb00d42e865396424bb5d340fc0a28870d (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < 0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a (git) Affected: 1e2fd202f8593985cdadca32e0c322f98e7fe7cb , < de203da734fae00e75be50220ba5391e7beecdf9 (git) |
|
| Linux | Linux |
Affected:
4.16
Unaffected: 0 , < 4.16 (semver) Unaffected: 5.4.292 , ≤ 5.4.* (semver) Unaffected: 5.10.236 , ≤ 5.10.* (semver) Unaffected: 5.15.180 , ≤ 5.15.* (semver) Unaffected: 6.1.134 , ≤ 6.1.* (semver) Unaffected: 6.6.87 , ≤ 6.6.* (semver) Unaffected: 6.12.23 , ≤ 6.12.* (semver) Unaffected: 6.13.11 , ≤ 6.13.* (semver) Unaffected: 6.14.2 , ≤ 6.14.* (semver) Unaffected: 6.15 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:28:57.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ntb/hw/mscc/ntb_hw_switchtec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f56951f211f181410a383d305e8d370993e45294",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "5b6857bb3bfb0dae17fab1e42c1e82c204a508b1",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "2429bdf26a0f3950fdd996861e9c1a3873af1dbe",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "7ed22f8d8be26225a78cf5e85b2036421a6bf2d5",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "c61a3f2df162ba424be0141649a9ef5f28eaccc1",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "cb153bdc1812a3375639ed6ca5f147eaefb65349",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "36d32cfb00d42e865396424bb5d340fc0a28870d",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
},
{
"lessThan": "de203da734fae00e75be50220ba5391e7beecdf9",
"status": "affected",
"version": "1e2fd202f8593985cdadca32e0c322f98e7fe7cb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ntb/hw/mscc/ntb_hw_switchtec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.292",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans\n\nThere is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and\nsize. This would make xlate_pos negative.\n\n[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000\n[ 23.734158] ================================================================================\n[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7\n[ 23.734418] shift exponent -1 is negative\n\nEnsuring xlate_pos is a positive or zero before BIT."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:37:17.261Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f56951f211f181410a383d305e8d370993e45294"
},
{
"url": "https://git.kernel.org/stable/c/5b6857bb3bfb0dae17fab1e42c1e82c204a508b1"
},
{
"url": "https://git.kernel.org/stable/c/2429bdf26a0f3950fdd996861e9c1a3873af1dbe"
},
{
"url": "https://git.kernel.org/stable/c/7ed22f8d8be26225a78cf5e85b2036421a6bf2d5"
},
{
"url": "https://git.kernel.org/stable/c/c61a3f2df162ba424be0141649a9ef5f28eaccc1"
},
{
"url": "https://git.kernel.org/stable/c/cb153bdc1812a3375639ed6ca5f147eaefb65349"
},
{
"url": "https://git.kernel.org/stable/c/36d32cfb00d42e865396424bb5d340fc0a28870d"
},
{
"url": "https://git.kernel.org/stable/c/0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a"
},
{
"url": "https://git.kernel.org/stable/c/de203da734fae00e75be50220ba5391e7beecdf9"
}
],
"title": "ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53034",
"datePublished": "2025-04-16T14:11:41.985Z",
"dateReserved": "2025-03-27T16:40:15.758Z",
"dateUpdated": "2026-05-11T19:37:17.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53539 (GCVE-0-2023-53539)
Vulnerability from cvelistv5 – Published: 2025-10-04 15:16 – Updated: 2026-05-11 19:46
VLAI?
EPSS
Title
RDMA/rxe: Fix incomplete state save in rxe_requester
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix incomplete state save in rxe_requester
If a send packet is dropped by the IP layer in rxe_requester()
the call to rxe_xmit_packet() can fail with err == -EAGAIN.
To recover, the state of the wqe is restored to the state before
the packet was sent so it can be resent. However, the routines
that save and restore the state miss a significnt part of the
variable state in the wqe, the dma struct which is used to process
through the sge table. And, the state is not saved before the packet
is built which modifies the dma struct.
Under heavy stress testing with many QPs on a fast node sending
large messages to a slow node dropped packets are observed and
the resent packets are corrupted because the dma struct was not
restored. This patch fixes this behavior and allows the test cases
to succeed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3050b99850247695cb07a5c15265afcc08bcf400 , < 70518f3aaf5a059b691867d7d2d46b999319656a
(git)
Affected: 3050b99850247695cb07a5c15265afcc08bcf400 , < 2f2a6422287fe29f9343247d77b645100ece0652 (git) Affected: 3050b99850247695cb07a5c15265afcc08bcf400 , < 255c0e60e1d16874fc151358d94bc8df661600dd (git) Affected: 3050b99850247695cb07a5c15265afcc08bcf400 , < 5d122db2ff80cd2aed4dcd630befb56b51ddf947 (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 6.1.53 , ≤ 6.1.* (semver) Unaffected: 6.4.16 , ≤ 6.4.* (semver) Unaffected: 6.5.3 , ≤ 6.5.* (semver) Unaffected: 6.6 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70518f3aaf5a059b691867d7d2d46b999319656a",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "2f2a6422287fe29f9343247d77b645100ece0652",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "255c0e60e1d16874fc151358d94bc8df661600dd",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
},
{
"lessThan": "5d122db2ff80cd2aed4dcd630befb56b51ddf947",
"status": "affected",
"version": "3050b99850247695cb07a5c15265afcc08bcf400",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_req.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix incomplete state save in rxe_requester\n\nIf a send packet is dropped by the IP layer in rxe_requester()\nthe call to rxe_xmit_packet() can fail with err == -EAGAIN.\nTo recover, the state of the wqe is restored to the state before\nthe packet was sent so it can be resent. However, the routines\nthat save and restore the state miss a significnt part of the\nvariable state in the wqe, the dma struct which is used to process\nthrough the sge table. And, the state is not saved before the packet\nis built which modifies the dma struct.\n\nUnder heavy stress testing with many QPs on a fast node sending\nlarge messages to a slow node dropped packets are observed and\nthe resent packets are corrupted because the dma struct was not\nrestored. This patch fixes this behavior and allows the test cases\nto succeed."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:46:55.783Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70518f3aaf5a059b691867d7d2d46b999319656a"
},
{
"url": "https://git.kernel.org/stable/c/2f2a6422287fe29f9343247d77b645100ece0652"
},
{
"url": "https://git.kernel.org/stable/c/255c0e60e1d16874fc151358d94bc8df661600dd"
},
{
"url": "https://git.kernel.org/stable/c/5d122db2ff80cd2aed4dcd630befb56b51ddf947"
}
],
"title": "RDMA/rxe: Fix incomplete state save in rxe_requester",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53539",
"datePublished": "2025-10-04T15:16:49.379Z",
"dateReserved": "2025-10-04T15:14:15.919Z",
"dateUpdated": "2026-05-11T19:46:55.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53751 (GCVE-0-2023-53751)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-05-11 19:50
VLAI?
EPSS
Title
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
TCP_Server_Info::hostname may be updated once or many times during
reconnect, so protect its access outside reconnect path as well and
then prevent any potential use-after-free bugs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
93d5cb517db39e8af8d1292f9e785e4983b7f708 , < 64d62ac6d6514cba1305bd08e271ec1843bdd612
(git)
Affected: 93d5cb517db39e8af8d1292f9e785e4983b7f708 , < c511954bf142fe1995aec3c739a9f1a76990283a (git) Affected: 93d5cb517db39e8af8d1292f9e785e4983b7f708 , < 0b08c4c499200be67d54c439d56e5ea866869945 (git) Affected: 93d5cb517db39e8af8d1292f9e785e4983b7f708 , < 90c49fce1c43e1cc152695e20363ff5087897c09 (git) |
|
| Linux | Linux |
Affected:
5.0
Unaffected: 0 , < 5.0 (semver) Unaffected: 6.1.28 , ≤ 6.1.* (semver) Unaffected: 6.2.15 , ≤ 6.2.* (semver) Unaffected: 6.3.2 , ≤ 6.3.* (semver) Unaffected: 6.4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifs_debug.c",
"fs/cifs/cifs_debug.h",
"fs/cifs/connect.c",
"fs/cifs/sess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64d62ac6d6514cba1305bd08e271ec1843bdd612",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
},
{
"lessThan": "c511954bf142fe1995aec3c739a9f1a76990283a",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
},
{
"lessThan": "0b08c4c499200be67d54c439d56e5ea866869945",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
},
{
"lessThan": "90c49fce1c43e1cc152695e20363ff5087897c09",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifs_debug.c",
"fs/cifs/cifs_debug.h",
"fs/cifs/connect.c",
"fs/cifs/sess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential use-after-free bugs in TCP_Server_Info::hostname\n\nTCP_Server_Info::hostname may be updated once or many times during\nreconnect, so protect its access outside reconnect path as well and\nthen prevent any potential use-after-free bugs."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:50:58.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64d62ac6d6514cba1305bd08e271ec1843bdd612"
},
{
"url": "https://git.kernel.org/stable/c/c511954bf142fe1995aec3c739a9f1a76990283a"
},
{
"url": "https://git.kernel.org/stable/c/0b08c4c499200be67d54c439d56e5ea866869945"
},
{
"url": "https://git.kernel.org/stable/c/90c49fce1c43e1cc152695e20363ff5087897c09"
}
],
"title": "cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53751",
"datePublished": "2025-12-08T01:19:11.160Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2026-05-11T19:50:58.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26766 (GCVE-0-2024-26766)
Vulnerability from cvelistv5 – Published: 2024-04-03 17:00 – Updated: 2026-05-11 20:03
VLAI?
EPSS
Title
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Unfortunately the commit `fd8958efe877` introduced another error
causing the `descs` array to overflow. This reults in further crashes
easily reproducible by `sendmsg` system call.
[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
--
[ 1080.974535] Call Trace:
[ 1080.976990] <TASK>
[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
--
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array is not
properly expanded and the packet will overflow into the container
structure. This results in a panic when the send completion runs. The
exact panic varies depending on what elements of the container structure
get corrupted. The fix is to use the correct expression in
_pad_sdma_tx_descs() to test the need to expand the descriptor array.
With this patch the crashes are no longer reproducible and the machine is
stable.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d1c1ee052d25ca23735eea912f843bc7834781b4 , < 115b7f3bc1dce590a6851a2dcf23dc1100c49790
(git)
Affected: 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4 , < 5833024a9856f454a964a198c63a57e59e07baf5 (git) Affected: 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179 , < 3f38d22e645e2e994979426ea5a35186102ff3c2 (git) Affected: bd57756a7e43c7127d0eca1fc5868e705fd0f7ba , < 47ae64df23ed1318e27bd9844e135a5e1c0e6e39 (git) Affected: eeaf35f4e3b360162081de5e744cf32d6d1b0091 , < 52dc9a7a573dbf778625a0efca0fca55489f084b (git) Affected: fd8958efe8779d3db19c9124fce593ce681ac709 , < a2fef1d81becf4ff60e1a249477464eae3c3bc2a (git) Affected: fd8958efe8779d3db19c9124fce593ce681ac709 , < 9034a1bec35e9f725315a3bb6002ef39666114d9 (git) Affected: fd8958efe8779d3db19c9124fce593ce681ac709 , < e6f57c6881916df39db7d95981a8ad2b9c3458d6 (git) Affected: 0ef9594936d1f078e8599a1cf683b052df2bec00 (git) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 4.19.308 , ≤ 4.19.* (semver) Unaffected: 5.4.270 , ≤ 5.4.* (semver) Unaffected: 5.10.211 , ≤ 5.10.* (semver) Unaffected: 5.15.150 , ≤ 5.15.* (semver) Unaffected: 6.1.80 , ≤ 6.1.* (semver) Unaffected: 6.6.19 , ≤ 6.6.* (semver) Unaffected: 6.7.7 , ≤ 6.7.* (semver) Unaffected: 6.8 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T18:11:09.801717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:44.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:13.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "115b7f3bc1dce590a6851a2dcf23dc1100c49790",
"status": "affected",
"version": "d1c1ee052d25ca23735eea912f843bc7834781b4",
"versionType": "git"
},
{
"lessThan": "5833024a9856f454a964a198c63a57e59e07baf5",
"status": "affected",
"version": "40ac5cb6cbb01afa40881f78b4d2f559fb7065c4",
"versionType": "git"
},
{
"lessThan": "3f38d22e645e2e994979426ea5a35186102ff3c2",
"status": "affected",
"version": "6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179",
"versionType": "git"
},
{
"lessThan": "47ae64df23ed1318e27bd9844e135a5e1c0e6e39",
"status": "affected",
"version": "bd57756a7e43c7127d0eca1fc5868e705fd0f7ba",
"versionType": "git"
},
{
"lessThan": "52dc9a7a573dbf778625a0efca0fca55489f084b",
"status": "affected",
"version": "eeaf35f4e3b360162081de5e744cf32d6d1b0091",
"versionType": "git"
},
{
"lessThan": "a2fef1d81becf4ff60e1a249477464eae3c3bc2a",
"status": "affected",
"version": "fd8958efe8779d3db19c9124fce593ce681ac709",
"versionType": "git"
},
{
"lessThan": "9034a1bec35e9f725315a3bb6002ef39666114d9",
"status": "affected",
"version": "fd8958efe8779d3db19c9124fce593ce681ac709",
"versionType": "git"
},
{
"lessThan": "e6f57c6881916df39db7d95981a8ad2b9c3458d6",
"status": "affected",
"version": "fd8958efe8779d3db19c9124fce593ce681ac709",
"versionType": "git"
},
{
"status": "affected",
"version": "0ef9594936d1f078e8599a1cf683b052df2bec00",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hfi1/sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.308",
"versionStartIncluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.270",
"versionStartIncluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.15.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.80",
"versionStartIncluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.19",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] \u003cTASK\u003e\n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash\u003e ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 \u003chfi1_ipoib_sdma_complete\u003e,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, \u003c\u003c\u003c invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:03:45.559Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790"
},
{
"url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5"
},
{
"url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2"
},
{
"url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39"
},
{
"url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b"
},
{
"url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a"
},
{
"url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9"
},
{
"url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6"
}
],
"title": "IB/hfi1: Fix sdma.h tx-\u003enum_descs off-by-one error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26766",
"datePublished": "2024-04-03T17:00:48.642Z",
"dateReserved": "2024-02-19T14:20:24.173Z",
"dateUpdated": "2026-05-11T20:03:45.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21863 (GCVE-0-2025-21863)
Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2026-05-11 21:07
VLAI?
EPSS
Title
io_uring: prevent opcode speculation
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: prevent opcode speculation
sqe->opcode is used for different tables, make sure we santitise it
against speculations.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d3656344fea0339fb0365c8df4d2beba4e0089cd , < b9826e3b26ec031e9063f64a7c735449c43955e4
(git)
Affected: d3656344fea0339fb0365c8df4d2beba4e0089cd , < 506b9b5e8c2d2a411ea8fe361333f5081c56d23a (git) Affected: d3656344fea0339fb0365c8df4d2beba4e0089cd , < fdbfd52bd8b85ed6783365ff54c82ab7067bd61b (git) Affected: d3656344fea0339fb0365c8df4d2beba4e0089cd , < 1e988c3fe1264708f4f92109203ac5b1d65de50b (git) |
|
| Linux | Linux |
Affected:
5.6
Unaffected: 0 , < 5.6 (semver) Unaffected: 6.6.80 , ≤ 6.6.* (semver) Unaffected: 6.12.17 , ≤ 6.12.* (semver) Unaffected: 6.13.5 , ≤ 6.13.* (semver) Unaffected: 6.14 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:25:38.400104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:26:37.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9826e3b26ec031e9063f64a7c735449c43955e4",
"status": "affected",
"version": "d3656344fea0339fb0365c8df4d2beba4e0089cd",
"versionType": "git"
},
{
"lessThan": "506b9b5e8c2d2a411ea8fe361333f5081c56d23a",
"status": "affected",
"version": "d3656344fea0339fb0365c8df4d2beba4e0089cd",
"versionType": "git"
},
{
"lessThan": "fdbfd52bd8b85ed6783365ff54c82ab7067bd61b",
"status": "affected",
"version": "d3656344fea0339fb0365c8df4d2beba4e0089cd",
"versionType": "git"
},
{
"lessThan": "1e988c3fe1264708f4f92109203ac5b1d65de50b",
"status": "affected",
"version": "d3656344fea0339fb0365c8df4d2beba4e0089cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent opcode speculation\n\nsqe-\u003eopcode is used for different tables, make sure we santitise it\nagainst speculations."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:07:58.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9826e3b26ec031e9063f64a7c735449c43955e4"
},
{
"url": "https://git.kernel.org/stable/c/506b9b5e8c2d2a411ea8fe361333f5081c56d23a"
},
{
"url": "https://git.kernel.org/stable/c/fdbfd52bd8b85ed6783365ff54c82ab7067bd61b"
},
{
"url": "https://git.kernel.org/stable/c/1e988c3fe1264708f4f92109203ac5b1d65de50b"
}
],
"title": "io_uring: prevent opcode speculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21863",
"datePublished": "2025-03-12T09:42:20.552Z",
"dateReserved": "2024-12-29T08:45:45.780Z",
"dateUpdated": "2026-05-11T21:07:58.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…